Whatsapp traffic cannot recognize in PA for iPhone user.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Whatsapp traffic cannot recognize in PA for iPhone user.

L2 Linker

Recently iPhone users only facing in WhatsApp "connecting" message, User could not send a message and make a call 

on corporate wireless network But, working in mobile network.
It was working before, day by day users facing this issue is increasing. Still WhatsApp working for some of the iPhone users on same wireless network. 

Tried IOS software update and WhatsApp update as well but no luck.

Same is working for all andriod users even on old version of WhatsApp.

 

in firewall end, WhatsApp traffic is cannot recognized as whatsapp-base for iphone. it shows as unknown-tcp.

No recent changes in our firewall end.

 

 

 

Thanks,
Sharthu
49 REPLIES 49

L3 Networker

Please provide the latest update for this case.

@MichaelJonker can you help me to know the status of the TAC case please

Hello CyberEye!

 

I'm affraid I have no news. I'm also waiting on an update. The latest information I have is that TAC might want to create a policy in our firewall to allow a specific part of the Whatsapp-traffic so they could do another pcap on it. That would be in addition to the captures I already sent. That was end October. But I haven't heard anything since then.

I'll keep you guys posted.

L3 Networker

I would appreciate it if anyone could update the Palo Alto TAC's comments regarding this matter. Even after updating the content version, we are experiencing the same problem.

Tac closed for us because the problem has been solved with content update.

which content version please

MarketMaker_0-1700646908526.png

 

L2 Linker

HI,

my question is if you will have a decrypt policy for this kind of traffic will the application be 'Known'.

the ''unknown-tcp'' is caused by not enough data in the three-way-handshake, so if the firewall will have a decrypt he would be able to see the traffic, further more than the three-way-handshake.

and maybe than will need to create an application override policy

i will do a lab and try this, i will let you know.

Whatsapp traffic isn't decrypted by default because there is a predifined SSL decryption Exclusion for this kind of traffic :

 

MarketMaker_0-1700649320034.png

It seems, whats app traffic can't be decrypted correctly so Palo Alto made this Exclusion but the App can be recognized and filtered :

MarketMaker_1-1700649533024.png

 

 

so there is a problem with decrypting a whatsapp traffic?
i had this question with my team on palo app-id, when you dont have a decryption rule to wich extent the app-id is correct, and what happens if i go to another site in the first site since after the handshake the data is encrypted the palo cant know it.

so my question is if the decrypt will help palo distinguish the app-id better than without or all of the application signatures is made for the traffic without decrypt rule.

 

In my opinion, Palo Alto SSL decryption can't decrypt proprietary protocol like Whatsapp so Palo Alto Team decide to predefined an SSL exclusion.

 

I tried to disable this exclusion month ago but it was worst. Nothing worked but you can retry to test this on your side and let us know.

 

But without SSL decryption, App-id works well for us so no problem.

where did you find this part?

Major2375_0-1700658040714.png


im searching for it in my lab.

L2 Linker

Device -> Certificate Management -> SSL Decryption Exclusion

L2 Linker

Yesterday I learned TAC is still working on our case but they're having technical diffculties replicating this issue. So they're still busy researching this and will update our security-partner and me on progress.

L3 Networker

Any new updates?

  • 12987 Views
  • 49 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!