This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Troubleshooting SSL decryption failure of a website

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Troubleshooting SSL decryption failure of a website

Go to solution
dannon
L3 Networker

‎01-10-2018 10:14 AM

Hello.

 

We are using panOS 8.0.7 , Pan-DB URL filtering, and SSL decryption.

 

We are K12 education and use many Chromebooks in the organization.

 

We are trying to use a system called Clever to have our students log into their Chromebooks by scanning a QR code.  The problem is I cannot get the program to work. (https://clever.com/)

 

I know the issue is with the SSL decryption because if I exclude the device from decryption, things works correctly and I am prompted to scan my QR code.  With decryption turned on, I get a hung screen and can't proceed to the next step of login.

 

I have worked with Palo TAC and Clever support and haven't been able to get it working.

 

I have many URLs excluded from decryption that Google and Clever say need to be bypassed from decyption as well.

 

My next thoughts would be to run some packet captures, but I'm not that familiar with Wireshark analysis.  I am thinking I need to look at the headers to see if there are any other URLs which I don't have in my exclude list.

 

Under the traffic logs, for the sessions, I can see some entries are being decrypted.  In the URL filtering logs, I can see the sessions are not being decrypted.

 

Anyone have any thoughts on this, or would be willing to help out?

Dan

 

1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to dannon

‎01-16-2018 10:02 AM

Hello,

You are correct, adding URL's is the same for either. Here is hte breakdown of what I suggested:

 

*.domain.com = will allow anything infront of hte domain.com ,i.e. www.domain.com, mail.domain.com, etc.

domain.com = will allow anything if it doesnt have a prefix, i.e. domain.com, domain.com/whatever, etc.

 

So one just allows for a prefix prior to the domain name. While I cannot find the article, its best practice to perform it the way i have it outlined.

 

Hope that clears things up and glad its working for you!

View solution in original post

1 person found this solution to be helpful.
0 Likes Likes
10 REPLIES 10

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎01-10-2018 02:08 PM

Hello,

Sounds like you on are on the correct path. I'm sure many of us are willing to help, but would need to see the pcaps or any other information you are willing to share. I would agree that its probably a quick redirect somewhere that is causing the issue.

 

Try looking at the Unified logs from a client and see if that can tell the whole story.

 

Hope that helps.

0 Likes Likes

Go to solution
dannon
L3 Networker
In response to OtakarKlier

‎01-12-2018 09:10 AM

OK.

 

I can do a packet capture on the Palo with and without decryption turned on, so I'd hae 2 sets of captures (drop, firewall, transmit, receive)

 

Which ones would you like me to upload here?

 

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to dannon

‎01-12-2018 09:17 AM

Hello,

Do you have the unified logs of the attempts made with SSL on and off? I think that may be a better start. Sorry for the confusion.

 

Please filter them by the source IP of the client making the attempts.

 

If you would rather perform this live via webex or something. Let me know when you might have time.

 

Regards,

0 Likes Likes

Go to solution
dannon
L3 Networker
In response to OtakarKlier

‎01-12-2018 01:37 PM

Here are the 2 screenshots.  I've got the excel files also, but don't know how to upload them.

 

 

GoodGoodFailFail

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to dannon

‎01-12-2018 01:56 PM

Hello,

How are you bypassing decryption? For example when I know its a website, I create a custom URL and add the sites I dont want to decrypt there. And then create a decryption policy above my decrypt everything and set it to no decrypt.

 

I'm assuming you have clever.com and *.clever.com listed as no decrypt?

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to dannon

‎01-12-2018 02:13 PM

On the second line from the top in the fail screenshot, there is traffic to 13.57.157.75 that was decrypted, when I looked it up, it belonged to clever.com.

 

https://www.virustotal.com/en/ip-address/13.57.157.75/information/

 

https://www.virustotal.com/en/domain/clever.com/information/

 

I would say it might be a no decrypt rule that is not getting hit for some reason.

0 Likes Likes

Go to solution
dannon
L3 Networker
In response to OtakarKlier

‎01-16-2018 06:59 AM

Hello.

 

I've got all of my URLs in a custome URL category called "no decrypt".  I've got my decryption rules with the no decryption up top

 

decrypt.JPG

 

Decryption rule #1 is for bypass.  All other traffic gets decrypted by rule #5.  Rules 2-4 don't apply in this situation.

 

I also just verified that I have the following in my "no-decryption" URL category:

 

*.clever.com

*.clever.com/

 

I wasn't sure if I needed both URLs in a decryption bypass rule, so I have both.

 

 

 

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to dannon

‎01-16-2018 07:18 AM

Hello,

The No-Decrypt URL should be"

 

*.clever.com

clever.com

 

Regards,

0 Likes Likes

Go to solution
dannon
L3 Networker
In response to OtakarKlier

‎01-16-2018 09:41 AM

OK.

 

I think that fixed it.

 

I'm confused now about how to enter URLs into the Palo -

 

for adding URLs to a custom category rules, I read here on Palo's site to enter them as

 

*.domain

*.domain/

 

to catch everything.  This would be if I wanted to recategorize a URL from a blocked to an allowed custom-URL category.  Or vice-versa.

 

I thought adding them to a no-decryption rule would be the same thing.

 

 

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to dannon

‎01-16-2018 10:02 AM

Hello,

You are correct, adding URL's is the same for either. Here is hte breakdown of what I suggested:

 

*.domain.com = will allow anything infront of hte domain.com ,i.e. www.domain.com, mail.domain.com, etc.

domain.com = will allow anything if it doesnt have a prefix, i.e. domain.com, domain.com/whatever, etc.

 

So one just allows for a prefix prior to the domain name. While I cannot find the article, its best practice to perform it the way i have it outlined.

 

Hope that clears things up and glad its working for you!

1 person found this solution to be helpful.
0 Likes Likes
  • 1 accepted solution
  • 8421 Views
  • 10 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks