This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Exclude a Application behind Clientless VPN from decryption

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Exclude a Application behind Clientless VPN from decryption

Martin.Shemon
L0 Member

‎09-01-2023 06:02 AM

Hi all,

 

I am currently facing the problem of publishing an internal web application via GlobalProtect Portal and Clientless VPN.

The principle is already used by us and works very well so far.

 

However, this one particular application has a property that makes SSL decryption impossible. With "normal" SSL decryption, you can either set a no-decrypt policy or a general exclusion from decryption.

 

However, I cannot find such a possibility for Clientless VPN and the normal exclusions do not work either. Without such an exclusion, however, the internal application cannot be published.

 

I also debugged, why the ssl inspection is not working, found the reason (Handshake, renegotiation) and found out that it is not possible to get this to work, it depends on the application itself, which i cant change.

What am I missing or what other possibilities exist that I may not know about? 

 

Many greetings
Martin

0 Likes Likes
2 REPLIES 2

TomYoung
Cyber Elite
Cyber Elite

‎09-01-2023 08:28 AM

Hi @Martin.Shemon ,

 

The NGFW will decrypt clientless VPN because it is designed to do so.  The client creates an SSL session to the NGFW, and it creates a new SSL session to the internal server.  This happens even if you do not have decryption enabled.  It is, essentially, a man-in-the-middle.

 

You have 2 solutions, in my opinion.

 

  1. Fix the decryption issue.  For example, if you put the IP address in the Hostname field of the General tab and your certificate does not have the IP address in it, you will get decryption errors.  Many times the issue will come down to supported and non-supported technologies.  Please see the links below.
  2. Use the GlobalProtect client.  That traffic will abide by the decryption policy and can be excluded.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-clientless-vpn...

 

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vp...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Martin.Shemon
L0 Member
In response to TomYoung

‎09-01-2023 10:15 AM - edited ‎09-01-2023 10:51 AM

Hi Tom,

thanks for the Hints !  
In this special case it is not possible to fix the decryption error, it depends on the application itself. After some deep debugging if found out that the Client Handshake breaks the SSL Decryption. I also found a PaloAlto article which describes that it is not resolvable. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJ0CAO&lang=en_US%E2%80%A...



This is why i asked for a decryption exclusion. 

I understand that it is not possible to exclude this special single host, so i have to find other solutions.
I now try to publish this application via a Global Protect Connection with a split tunnel configuration only for this single app.

If you or somebody has annother idea how to prevent decryption, it would be great, cause this is the prefered way.

Many Thanks and have a great weekend.
Martin


 

  • 1040 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks