- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-03-2023 12:09 PM
Hello, I need to know how to block traffic that is not going through decrypt.
05-04-2023 02:49 PM
Hello,
There is some traffic that will break if you try to decrypt it so not decrypting it is the correct path. However I would setup decryption policies and place your decryption policy at the bottom of the Decryption policies, that way you can create 'do not decrypt' policies above that. However by creating the decryption policy, all traffic that matches the policy will be decrypted.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC
Regards,
05-08-2023 07:18 AM
I had already done that. The problem is that the traffic I do NOT want to decrypt is actually an application (google-play), and in the decrypt module/filters (decrypt -> pre -rules) there is no option to insert application in the rule. This is causing an excessive increase of sessions in my decrypt which in turn is generating high processing in the firewall. In the image I attached, you can see that google-play is going through decrypt and consuming more than 5,000 sessions even though it is blocked in the main table (security rules)
05-08-2023 10:06 AM
You often can not determine the application without decrypting the traffic, as the data that would determine the application is within a SSL session. Therefore application is not a valid filter for determining whether to decrypt or not.
According to my PA, the google-play application uses ports tcp/80, 443, 5228, and udp/5228. So option one would be to bypass decryption of traffic to port 5228, though this may not be ideal and may miss a large portion of SSL traffic on port 443. A second option would be to build a URL filter and try to bypass decryption based on that. A bit of Googling indicates that Google Play uses a URL in the format of https://play.google.com/store/xxx, however this may not always be the case as apps/content is frequently mixed across CDNs. So why not try bypassing decryption based on URL and see if that provides enough of a solution.
Create a new URL Category (Objects->Custom Objects->URL Category) for filtering items to be bypassed in decryption. Note that since you are not decrypting, you do not know the entire URL, just the FQDN in the SNI. Therefore you can only filter based on the FQDN portion of the URL: Be sure to terminate your entries correctly to prevent unwanted/unexpected expansion:
Name = Do-Not-Decrypt
Type = URL List
Sites =
play.google.com/
Then create a decryption bypass rule (Policies->Decryption):
Name = Do-Not-Decrypt-URL
Src Zone = Trust
Dst Zone = Untrust
URL Category = Do-Not-Decrypt
Action = No Decrypt
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!