SSL Decrytpion not working consistently on MAC's

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Decrytpion not working consistently on MAC's

L0 Member

We just installed SSL decryption ( not self signed) across our PANs. It is working fine with Windows workstations at office and at home. However, with MAC machines it is working inconsistently when at home and  connected to global protect.  Some sites it's picking up the SSL decryption cert while for others it wasn't. I have already tried to upgrade and downgrade the GP but still no luck. 

 

Any recommendation that I should try? 

3 REPLIES 3

Hi @ljovellanos ,

Can you describe the problem with bit more information?

What is the user experience? Does he receive SSL error messages? Or the page is not decrypted?

Can you provide some screenshots with examples?

 

What version of PanOS are you using?

Does your GlobalProtect gateway profile for Mac users apply Full tunnel or Split tunnel? Do you have any inclusion/exceptions based on DNS, application or routing?

 

 

Thanks for the response @aleksandar.astardzhiev 

I noticed that this only happens with Mac's when they are connected to Global Protect. No issues encountered with Windows machines when using GP.

 

What is the user experience? Does he receive SSL error messages? Or the page is not decrypted?

   -->  I don't see or receive any SSL error message when visiting sites. Most of the sites the I visited were not showing the SSL decryption certificate that I've created. However, there was one site (virustotal) that is using the certificate that I've created. Please see the attached images. 

--> it only happens when the machine is connected to the GLobal protect VPN, but when the machine is at the office and connected to the network via LAN or wireless, SSL decryption is working fine, it is using the SSL decryption certificate.

 

--> I have already tried downgrading or upgrading the GP version on that Mac but got the same problem.

--> I have tried different browser as well, but no luck.

 

What version of PanOS are you using?

--> Im currently testing it on PAN version 9.1.13-h1, but I have also tried on 10.1.5-h2 but got the same behaviour.

 

Global protect version

-->  GlobalProtect App Version 6.1.0-58

--> We are using full tunneling when connected to GP.

 

Do you have any inclusion/exceptions based on DNS, application or routing?

--> none.. it is working fine with Windows machines when connected to GP

 

Hi @ljovellanos ,

If your GP VPN is configured with Full-tunnel mode and there is not domain or application exclusion I would look for issues with GP agent.

I noticed that you are using Chrome, so I would take a wild guess:

- Your GP users are allowed to internet with different rules (different from internal users)

- One of those rules allow GP user to use QUIC. QUIC is proprietary protocol and cannot be decrypted.

- When users are inside local network they are using different rules, which probably block QUIC and force Chrome to fallback to standard HTTPS, which is being decrypted.

 

You should be able to easly confirm or deny my assumption by:

- Check your traffic logs when Mac is connected to GP and search for (addr.src in <gp-ip-macos>) and (app eq quic). Does your FW block or allow quic?

- Check your URL logs when Mac is connected to GP. Even without decryption if your Mac is using HTTPS, firewall should be able to inspect the SSL negotiation and create URL log when you try to open facebook or virustotal (or any other site)

 

I believe I get your point - you believe that GP is not sending all traffic over the tunnel and that is why it is not being decrypted. Although you could never say there is a wild bug that could cause this, it is easier to confirm some other theories before digging for bugs:

- Check host routing table while connected to GP, confirm if default is pointing to VPN tunnel.

- Confirm in the config that there is no exclusion for GP (GP gateway -> Agent -> Setting -> Split tunnel -> Domain and Apps)

- Try to access a test page that you expect to be decrypted while connected to GP. Check your URL logs, do you see log for that URL? With nslookup resolve the FQDN to IP and try searching this IP in your firewall logs. Do you see any connections on the FW? What application has firewall identified?

  • 2425 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!