This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

block non decrypt traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

block non decrypt traffic

AlessandroSousa
L0 Member

‎05-03-2023 12:09 PM

Hello, I need to know how to block traffic that is not going through decrypt.

 

3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎05-04-2023 02:49 PM

Hello,

There is some traffic that will break if you try to decrypt it so not decrypting it is the correct path. However I would setup decryption policies and place your decryption policy at the bottom of the Decryption policies, that way you can create 'do not decrypt' policies above that. However by creating the decryption policy, all traffic that matches the policy will be decrypted.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

 

Regards,

0 Likes Likes

AlessandroSousa
L0 Member
In response to OtakarKlier

‎05-08-2023 07:18 AM

I had already done that. The problem is that the traffic I do NOT want to decrypt is actually an application (google-play), and in the decrypt module/filters (decrypt -> pre -rules) there is no option to insert application in the rule. This is causing an excessive increase of sessions in my decrypt which in turn is generating high processing in the firewall. In the image I attached, you can see that google-play is going through decrypt and consuming more than 5,000 sessions even though it is blocked in the main table (security rules)

Preview file
73 KB
0 Likes Likes

Adrian_Jensen
L6 Presenter
In response to AlessandroSousa

‎05-08-2023 10:06 AM

You often can not determine the application without decrypting the traffic, as the data that would determine the application is within a SSL session. Therefore application is not a valid filter for determining whether to decrypt or not.

 

According to my PA, the google-play application uses ports tcp/80, 443, 5228, and udp/5228. So option one would be to bypass decryption of traffic to port 5228, though this may not be ideal and may miss a large portion of SSL traffic on port 443. A second option would be to build a URL filter and try to bypass decryption based on that. A bit of Googling indicates that Google Play uses a URL in the format of https://play.google.com/store/xxx, however this may not always be the case as apps/content is frequently mixed across CDNs. So why not try bypassing decryption based on URL and see if that provides enough of a solution.

 

Create a new URL Category (Objects->Custom Objects->URL Category) for filtering items to be bypassed in decryption. Note that since you are not decrypting, you do not know the entire URL, just the FQDN in the SNI. Therefore you can only filter based on the FQDN portion of the URL: Be sure to terminate your entries correctly to prevent unwanted/unexpected expansion:

Name = Do-Not-Decrypt

Type = URL List

Sites = 

play.google.com/

 

Then create a decryption bypass rule (Policies->Decryption):

Name = Do-Not-Decrypt-URL

Src Zone = Trust

Dst Zone = Untrust

URL Category = Do-Not-Decrypt

Action = No Decrypt

 

  • 1244 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks