SSL inbound decryption and Post message in PA PCAPS

Reply
Highlighted
Cyber Elite

SSL inbound decryption and Post message in PA PCAPS

We have configured the SSL inbound decryption.

When we do the PCAPS on the PA we do not see POST message on the re and tx pcaps.

 

Need to know is this default behaviour?

On traffic logs we see decryption flag as checked.

Also from CLI i verify that PA is decrypting the traffic.

 

 

 

MP

Accepted Solutions
Highlighted
Cyber Elite

Re: SSL inbound decryption and Post message in PA PCAPS

Seems the PA did the content update and now we see that the threat signature is triggered and traffic is blocked under threat logs.

Earlier we were seeing that traffic is decrypted and not blocked under threat logs

MP

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: SSL inbound decryption and Post message in PA PCAPS

@MP18,

This is expected. If you want the post message you would need to enable the decryption port mirror license and verify that you can legally enable that feature in your location and your industry. 

 

From a CLI perspective the command show session all filter ssl-decrypt yes will display all the decrypted sessions across the firewall. You can filter this more to ensure that traffic is being actively decrypted where you expect it to be. 

Highlighted
Cyber Elite

Re: SSL inbound decryption and Post message in PA PCAPS

The issue is that we have cert with name like  *.city.ca

and it has multiple sub domains like 

maps.city.ca

All the urls with domain *.city.ca point to single IP address.

When i do the pcaps for the city.ca i see the post and get message on the fw pcaps.

When domain is maps.city.ca then i do not see the get and post info in pcaps of the fw.

 

I also tested with creating custom url for maps.city.ca and then adding that to decryption rule same thing.

MP
Highlighted
Cyber Elite

Re: SSL inbound decryption and Post message in PA PCAPS

We open the TAC case as we were able to exploit the vulnerabiity even  though PA ssl decrypt is enabled.

Yes you were spot on you can not see the get/post messages on the PCAP on firewall or debug ssl proxy.

 

But PA should able to see the threat signature and block it when ssl decryption is enabled.

MP
Highlighted
Cyber Elite

Re: SSL inbound decryption and Post message in PA PCAPS

Seems the PA did the content update and now we see that the threat signature is triggered and traffic is blocked under threat logs.

Earlier we were seeing that traffic is decrypted and not blocked under threat logs

MP

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!