block non decrypt traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

block non decrypt traffic

L0 Member

Hello, I need to know how to block traffic that is not going through decrypt.

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

There is some traffic that will break if you try to decrypt it so not decrypting it is the correct path. However I would setup decryption policies and place your decryption policy at the bottom of the Decryption policies, that way you can create 'do not decrypt' policies above that. However by creating the decryption policy, all traffic that matches the policy will be decrypted.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC

 

Regards,

I had already done that. The problem is that the traffic I do NOT want to decrypt is actually an application (google-play), and in the decrypt module/filters (decrypt -> pre -rules) there is no option to insert application in the rule. This is causing an excessive increase of sessions in my decrypt which in turn is generating high processing in the firewall. In the image I attached, you can see that google-play is going through decrypt and consuming more than 5,000 sessions even though it is blocked in the main table (security rules)

You often can not determine the application without decrypting the traffic, as the data that would determine the application is within a SSL session. Therefore application is not a valid filter for determining whether to decrypt or not.

 

According to my PA, the google-play application uses ports tcp/80, 443, 5228, and udp/5228. So option one would be to bypass decryption of traffic to port 5228, though this may not be ideal and may miss a large portion of SSL traffic on port 443. A second option would be to build a URL filter and try to bypass decryption based on that. A bit of Googling indicates that Google Play uses a URL in the format of https://play.google.com/store/xxx, however this may not always be the case as apps/content is frequently mixed across CDNs. So why not try bypassing decryption based on URL and see if that provides enough of a solution.

 

Create a new URL Category (Objects->Custom Objects->URL Category) for filtering items to be bypassed in decryption. Note that since you are not decrypting, you do not know the entire URL, just the FQDN in the SNI. Therefore you can only filter based on the FQDN portion of the URL: Be sure to terminate your entries correctly to prevent unwanted/unexpected expansion:

Name = Do-Not-Decrypt

Type = URL List

Sites = 

play.google.com/

 

Then create a decryption bypass rule (Policies->Decryption):

Name = Do-Not-Decrypt-URL

Src Zone = Trust

Dst Zone = Untrust

URL Category = Do-Not-Decrypt

Action = No Decrypt

 

  • 1359 Views
  • 3 replies
  • 1 Likes
  • 38 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!