06-26-2013 03:35 AM
Hey
why PA doesnt do SSL Decryption for this site: WeTransfer
i can see PA is recognizing it as this application: wetransfer
but ican see the original Go daddy ceritifcate in the browser windows, and in the PA logs i cannot see "decrypted" on this traffic why is this?
this is my decryption policy:
------------------------------------------------------------------------------------------------------------------------------------------------------------------
admin@PA-500# show rulebase decryption rules
rules {
"no Decrypt" {
category any;
type {
ssl-forward-proxy;
}
from trust;
to untrust;
source any;
destination Hilan3-192.168.210.154;
source-user any;
negate-source no;
negate-destination no;
action no-decrypt;
disabled no;
}
Decrypt {
category any;
type {
ssl-forward-proxy;
}
from trust;
to untrust;
source any;
destination any;
source-user any;
negate-source no;
negate-destination no;
action decrypt;
disabled no;
}
}
this is one of the session opened to the IP
------------------------------------------------------------------------------------------------------------------------------------------------------------------
admin@PA-500> show session id 21323
Session 21323
c2s flow:
source: 192.168.1.149 [trust]
dst: 173.241.240.180
proto: 6
sport: 52891 dport: 443
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 173.241.240.180 [untrust]
dst: 192.168.1.149
proto: 6
sport: 443 dport: 52891
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Wed Jun 26 13:34:22 2013
timeout : 30 sec
time to live : 19 sec
total byte count(c2s) : 1792
total byte count(s2c) : 4725
layer7 packet count(c2s) : 9
layer7 packet count(s2c) : 10
vsys : vsys1
application : wetransfer
rule : rule1
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
layer7 processing : completed
URL filtering enabled : True
URL category : online-personal-storage
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
session tracker stage l7proc : ctd err bypass
admin@PA-500>
06-26-2013 04:00 AM
Just tried it again with Chrome. Our own certificate was used but at the logs still encrypted....try it also with chrome...
06-26-2013 04:05 AM
yes with chrome it is beeing decrypted by the certificate that i see in browser
but i can see different logs when accessing the website using chrome and using explorer
06-26-2013 04:17 AM
Contact the PaloAlto support. They should be able to fix it. I guess the application is the issue... We had similar problems with youtube...
06-26-2013 12:46 PM
It doesnt seem to be part of the internal whitelist at least:
Also it seems to be hosted by amazon in case that somehow affects this "bug" (or whatever it is thats happening to you):
https://www.ssllabs.com/ssltest/analyze.html?d=www.wetransfer.com
PA devices have had problems with TLS in the past... even if SSL 3.0 is supported the only support ciphersuits are TLS-based:
https://www.ssllabs.com/ssltest/analyze.html?d=www.wetransfer.com&s=176.34.236.232
Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
