04-20-2020 05:07 PM
We have configured the SSL inbound decryption.
When we do the PCAPS on the PA we do not see POST message on the re and tx pcaps.
Need to know is this default behaviour?
On traffic logs we see decryption flag as checked.
Also from CLI i verify that PA is decrypting the traffic.
06-21-2020 09:30 AM - edited 06-21-2020 09:32 AM
Seems the PA did the content update and now we see that the threat signature is triggered and traffic is blocked under threat logs.
Earlier we were seeing that traffic is decrypted and not blocked under threat logs
04-21-2020 08:12 AM
This is expected. If you want the post message you would need to enable the decryption port mirror license and verify that you can legally enable that feature in your location and your industry.
From a CLI perspective the command show session all filter ssl-decrypt yes will display all the decrypted sessions across the firewall. You can filter this more to ensure that traffic is being actively decrypted where you expect it to be.
04-21-2020 09:28 AM
The issue is that we have cert with name like *.city.ca
and it has multiple sub domains like
maps.city.ca
All the urls with domain *.city.ca point to single IP address.
When i do the pcaps for the city.ca i see the post and get message on the fw pcaps.
When domain is maps.city.ca then i do not see the get and post info in pcaps of the fw.
I also tested with creating custom url for maps.city.ca and then adding that to decryption rule same thing.
05-04-2020 06:09 PM
We open the TAC case as we were able to exploit the vulnerabiity even though PA ssl decrypt is enabled.
Yes you were spot on you can not see the get/post messages on the PCAP on firewall or debug ssl proxy.
But PA should able to see the threat signature and block it when ssl decryption is enabled.
06-21-2020 09:30 AM - edited 06-21-2020 09:32 AM
Seems the PA did the content update and now we see that the threat signature is triggered and traffic is blocked under threat logs.
Earlier we were seeing that traffic is decrypted and not blocked under threat logs
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
