09-28-2011 03:28 AM
Good Day Guys and Gals
I need ideas on the following issue please! I have a block on all Social networking sites for the company. The Policy works great when the user tries to access http://plus.google.com, but when they use SSL (https://plus.google.com) the user gains full access to the site. Same goes for all other Social networking sites! How do we stop them on SSL?
Thanx in advance!
09-28-2011 02:40 PM
You could also block these using the URL filtering feature. URL filtering will work on encrypted or unencrypted traffic because it is making the allow/block decision using the unencrypted URL information.
-Benjamin
09-28-2011 11:47 PM
Good Morning Bpappas
Thank you for your reply!
I am actualy using the URL filtering feature, Policy with application filtering and plus.google url in custom deny list, but still it bypasses the PA......
Any other ideas?
09-29-2011 01:58 PM
@kobus.snyders:
if that is happening I would advise you to open a case with your support provider.
-Benjamin
09-30-2011 09:05 PM
The problem with URL filtering and HTTPS traffic is that with HTTPS you cannot actually see the GET message which URL filtering normally looks at because it is encrypted. So URL filtering can only apply to the URL in the certificate. If that certificate does not have "plus.google.com" then URL filtering will not work on that. It seems https://plus.google.com certificate was issued to "*.google.com". You can see a server certificate in IE by going to File > Properties and then click on Certificates button.
Likely the only way you will be able to reliably identify social media sites would be to use SSL proxy decryption as others have suggested.
-Richard
10-03-2011 09:47 AM
For this specific case, shouldn't blocking the 'google-plus' application achieve the same result?
11-15-2011 01:32 PM
That is not the case for me, it does block it in chrome but not in IE or Fx? I've also added a url filter but that didnt work iether for google+ Im still testing but I ahve to ahve this closed by the end of the week. I may have to open a case for the Palo techs to help me out on this.
11-15-2011 05:52 PM
Hi, have you tried ssl decryption?. it works great with sites that uses ssl/https.
05-07-2012 05:34 PM
Im nervous to turn on SSL Decryption. Is it reliable ? Do I have to turn it on for all SSL traffic ? I just want the URL information.
Justin
05-07-2012 11:47 PM
You define for which zones and ipaddresses and/or users along with categories you wish to enable ssl decryption for.
In you case perhaps something like:
srczone: clients
dstzone: internet
srcip: any
dstip: any
user: any
categories: (select all categories, dont know if "any" exists yet).
action: decrypt
This way as soon as a ssl handshake is seen the PA will intercept depending on if you set this up as ssl-proxy (common when intercepting outgoing clients) or ssl inspection (common when intercepting incoming clients towards one of your servers which you have the private key for).
Previously there have been issues with 2000-series when there were to many concurrent ssl decryptions (because at 2000-series and below the mgmtplane is involved into creating the faked cert on the fly). I dont know if this has been fixed yet (I think it is).
Also note in order to make this transparent for the clients you need to import the CA cert (well the public part of what you imported into your PA device) as a trusted CA in your clients (can be done through group policy). Also you can use a second cert (and not import this one in your clients) which PA can use for ssl sessions that couldnt be verified (for example if the cert from the server at internet is expired, revoked or such).
05-08-2012 09:37 AM
Usually, Google services are fully compatible with SSL decryption.
If you want to activate it only for Google, create SSL Decryption rules only for the following ranges:
ip4:216.239.32.0/19
ip4:64.233.160.0/19
ip4:66.249.80.0/20
ip4:72.14.192.0/18
ip4:209.85.128.0/17
ip4:66.102.0.0/20
ip4:74.125.0.0/16
ip4:64.18.0.0/20
ip4:207.126.144.0/20
ip4:173.194.0.0/16
06-04-2013 12:59 PM
I found that if you define an application in the rules that also does URL filtering it needs to decrypt the packet to decipher the application. One way is to use http and https ports.
For example your rule to block a website might look like:
srczone: trust
dstzone: untrust
application: web-browsing
action: allow
profile: URL filtering
Change to:
srczone: trust
dstzone: untrust
service: service-http, service-https
action: allow
profile: URL filtering
Just was one thing I came across that sounds close. The other option is of course adding certificates.
06-04-2013 11:40 PM
Sounds odd... when you use url filter without decryption then the url filter can only look at the CN part of the certs passing through. This will also mean that the identified application will most likely just be "ssl" (and "web-browsing" for the cleartext stuff).
If you enable decryption then the real appid (lets say youtube or whatever) will be identified and the full url will be logged (and handled by the filters) aswell.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
