Decryption: List of App-IDs that require decryption

cmorris8990 · ‎04-10-2025

This is a re-post of an earlier post of mine that has been buried, but this time with a little more context.

Is there already a central location where all app-ids that require decryption to use/discover are listed? It's called out in the content release notes if an application requires decryption, but I haven't seen that noted anywhere else like Applipedia or in the PAN-OS configuration itself.

Does this information exist anywhere outside of the "New App-IDs" releases? I'm trying to plan out further adoption of app-id based rules and I want to account for that in our decryption policy as well if I need to, but I don't think I can dig through every "New App-ID" release post that exists. Is this something I should submit as a feature request? In my opinion this should be listed as a simple yes/no on the Applipedia entry for a given App-ID the same way it is for the "New App-IDs" release notes.

NGFW Panorama Strata Cloud Manager

BPry · ‎04-10-2025

@cmorris8990,

I'm not aware of any maintained database of applications that require decryption verses those that don't. The release notes primarily make mention of it so you know whether or not you'll potentially be impacted by the new signatures or not.

Can I ask what you're actively planning to pair from a decryption and app-id standpoint? Generally I don't see people wrap up both of those in a side-by-side manner. Decryption is generally something that is enabled for a subset of users (or a subset or test accounts) for validation, but the decryption policies would be pretty broad. You'll generally just create exceptions when decryption isn't possible, or when exceptions are needed temporarily until the application/service owner can correct the decryption issue (for example if you just have mismatching ciphers). App-ID on the other-hand is generally built-out based off of what the firewall is actively seeing.

ACESZach · ‎04-11-2025

Not OP, but...

If I could look at the application and see if decryption is needed, I could determine if I can use that application in a security policy that would hit or miss users based on our decryption policies. As it stands, I have to create a broader policy, and see what applications are identified and then narrow down the policy.

Additionally, I have had our help desk ask if certain applications that worked outside our organization were subject to decryption. An easy way to find an answer to that question would be to look at the application under "objects" and look for a field that says "decryption needed" or some such. But without that, I have to ask for them to try the application in question, for me to try and identify it by destination or host name, look in the logs, and see if it was decrypted.

cmorris8990 · ‎04-11-2025

@BPry ,

Some of the App-IDs require the traffic to be decrypted in order to identify them correctly, so what I've ended up having to do on occasion is create a rule that matches "ssl" but with a specific port also defined on the rule. If there are apps that you want to be able to take action on, you'll need to know ahead of time whether they require decryption so you can plan for that accordingly.

The other thing that I'm wondering about is any Microsoft 365 related App-IDs that require decryption to be able to identify, because typically decrypting M365 traffic also breaks it, so I'm curious as to how one would set up the necessary policies to not break M365 traffic but also be able to get granular enough to specifically block the App-ID "ms-teams-create" as mentioned in this release.

Being able to know ahead of time which App-IDs do or do not require decryption can help with planning and optimizing your overall policy, and the information is already known (whether or not an App-ID requires decryption is listed on every release), so I'd just like to see if a central list of these App-IDs already exists and if not, if one could be created or better yet as @ACESZach mentioned just add a field to the App-ID entry on Applipedia or within the Firewall/Panorama/Strata interface that says "Requires Decryption: Yes/No". I could go look for the releases for specific App-IDs, but part of the motivation for asking for this is to optimize the time it takes to narrow down what rules are required, either by cutting down how many trial and error passes we have to make with the user making the request or cutting down on the time it takes to research what's needed to address the user's request.

All that being said, to your point, the decryption policies do not have a place to look at App-IDs, so there's still going to be some research involved to identify the necessary URLs and/or URL categories and/or destination addresses to write a specific decryption rule, and then do that in a way (to use the MS Teams example) that doesn't break the app before ever being able to identify the specific App-ID you want. For more "local" things this would be simple enough, one of the rules I had to write was to address postgres over TLS, currently I have that handled with a second rule that matches SSL over the specific port. If we could apply decryption policies at the individual security policy rule level that might make it easier to target that, but even then, you're still trying to match an App-ID that the firewall won't know about until after decryption, so it might not be a workable solution anyway.

Unlock your full community experience!

Decryption: List of App-IDs that require decryption

Decryption: List of App-IDs that require decryption

Show your appreciation!