SSL Sites bypass URL Category block

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Sites bypass URL Category block

Not applicable

Good Day Guys and Gals

I need ideas on the following issue please! I have a block on all Social networking sites for the company. The Policy works great when the user tries to access http://plus.google.com, but when they use SSL (https://plus.google.com) the user gains full access to the site. Same goes for all other Social networking sites! How do we stop them on SSL?

Thanx in advance!

13 REPLIES 13

L2 Linker

Hi, you need SSL Proxy to unencrypt SSL and analize the traffic. It is very easy to implement.

Regards

L6 Presenter

You could also block these using the URL filtering feature. URL filtering will work on encrypted or unencrypted traffic because it is making the allow/block decision using the unencrypted URL information.

-Benjamin

Good Morning Bpappas

Thank you for your reply!

I am actualy using the URL filtering feature, Policy with application filtering and plus.google url in custom deny list, but still it bypasses the PA......

Any other ideas?

@kobus.snyders:

if that is happening I would advise you to open a case with your support provider.

-Benjamin

Retired Member
Not applicable

The problem with URL filtering and HTTPS traffic is that with HTTPS you cannot actually see the GET message which URL filtering normally looks at because it is encrypted. So URL filtering can only apply to the URL in the certificate. If that certificate does not have "plus.google.com" then URL filtering will not work on that. It seems https://plus.google.com certificate was issued to "*.google.com". You can see a server certificate in IE by going to File > Properties and then click on Certificates button.

Likely the only way you will be able to reliably identify social media sites would be to use SSL proxy decryption as others have suggested.

-Richard

For this specific case, shouldn't blocking the 'google-plus' application achieve the same result?

That is not the case for me, it does block it in chrome but not in IE or Fx?  I've also added a url filter but that didnt work iether for google+  Im still testing but I ahve to ahve this closed by the end of the week.  I may have to open a case for the Palo techs to help me out on this. 

Hi, have you tried ssl decryption?. it works great with sites that uses ssl/https.

Im nervous to turn on SSL Decryption. Is it reliable ? Do I have to turn it on for all SSL traffic ? I just want the URL information.

Justin

You define for which zones and ipaddresses and/or users along with categories you wish to enable ssl decryption for.

In you case perhaps something like:

srczone: clients

dstzone: internet

srcip: any

dstip: any

user: any

categories: (select all categories, dont know if "any" exists yet).

action: decrypt

This way as soon as a ssl handshake is seen the PA will intercept depending on if you set this up as ssl-proxy (common when intercepting outgoing clients) or ssl inspection (common when intercepting incoming clients towards one of your servers which you have the private key for).

Previously there have been issues with 2000-series when there were to many concurrent ssl decryptions (because at 2000-series and below the mgmtplane is involved into creating the faked cert on the fly). I dont know if this has been fixed yet (I think it is).

Also note in order to make this transparent for the clients you need to import the CA cert (well the public part of what you imported into your PA device) as a trusted CA in your clients (can be done through group policy). Also you can use a second cert (and not import this one in your clients) which PA can use for ssl sessions that couldnt be verified (for example if the cert from the server at internet is expired, revoked or such).

Usually, Google services are fully compatible with SSL decryption.

If you want to activate it only for Google, create SSL Decryption rules only for the following ranges:

ip4:216.239.32.0/19

ip4:64.233.160.0/19

ip4:66.249.80.0/20

ip4:72.14.192.0/18

ip4:209.85.128.0/17

ip4:66.102.0.0/20

ip4:74.125.0.0/16

ip4:64.18.0.0/20

ip4:207.126.144.0/20

ip4:173.194.0.0/16

Not applicable

I found that if you define an application in the rules that also does URL filtering it needs to decrypt the packet to decipher the application.  One way is to use http and https ports.

For example your rule to block a website might look like:

srczone: trust

dstzone: untrust

application: web-browsing

action: allow

profile: URL filtering

Change to:

srczone: trust

dstzone: untrust

service: service-http, service-https

action: allow

profile: URL filtering

Just was one thing I came across that sounds close.  The other option is of course adding certificates.

Sounds odd... when you use url filter without decryption then the url filter can only look at the CN part of the certs passing through. This will also mean that the identified application will most likely just be "ssl" (and "web-browsing" for the cleartext stuff).

If you enable decryption then the real appid (lets say youtube or whatever) will be identified and the full url will be logged (and handled by the filters) aswell.

  • 6570 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!