Exclude a Application behind Clientless VPN from decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclude a Application behind Clientless VPN from decryption

L0 Member

Hi all,

 

I am currently facing the problem of publishing an internal web application via GlobalProtect Portal and Clientless VPN.

The principle is already used by us and works very well so far.

 

However, this one particular application has a property that makes SSL decryption impossible. With "normal" SSL decryption, you can either set a no-decrypt policy or a general exclusion from decryption.

 

However, I cannot find such a possibility for Clientless VPN and the normal exclusions do not work either. Without such an exclusion, however, the internal application cannot be published.

 

I also debugged, why the ssl inspection is not working, found the reason (Handshake, renegotiation) and found out that it is not possible to get this to work, it depends on the application itself, which i cant change.

What am I missing or what other possibilities exist that I may not know about? 

 

Many greetings
Martin

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @Martin.Shemon ,

 

The NGFW will decrypt clientless VPN because it is designed to do so.  The client creates an SSL session to the NGFW, and it creates a new SSL session to the internal server.  This happens even if you do not have decryption enabled.  It is, essentially, a man-in-the-middle.

 

You have 2 solutions, in my opinion.

 

  1. Fix the decryption issue.  For example, if you put the IP address in the Hostname field of the General tab and your certificate does not have the IP address in it, you will get decryption errors.  Many times the issue will come down to supported and non-supported technologies.  Please see the links below.
  2. Use the GlobalProtect client.  That traffic will abide by the decryption policy and can be excluded.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-clientless-vpn...

 

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vp...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

thanks for the Hints !  
In this special case it is not possible to fix the decryption error, it depends on the application itself. After some deep debugging if found out that the Client Handshake breaks the SSL Decryption. I also found a PaloAlto article which describes that it is not resolvable. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJ0CAO&lang=en_US%E2%80%A...



This is why i asked for a decryption exclusion. 

I understand that it is not possible to exclude this special single host, so i have to find other solutions.
I now try to publish this application via a Global Protect Connection with a split tunnel configuration only for this single app.

If you or somebody has annother idea how to prevent decryption, it would be great, cause this is the prefered way.

Many Thanks and have a great weekend.
Martin


 

  • 1634 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!