I'm running PA-VM and created with one active rule:
From: Inside
To: Outside
Application: Web Basic Application group (ssl,dns,web-browsing,ping)
Service: application-default
Action: Allow
SSL Decryption is disabled
I'm facing issues browsing to websites with preconfigured App-ids:
Not working:
linkedin/soundcloud/batte.net/docs.google.com(any other website specified app-id)
Working:
youtube/google(search-engine)
I'm running PA that doesn't have the google-base yet.
"During the SSL encrypted session, the firewall receives server "hello packets", which has the certificate details or the server can send a separate certificate packet. The firewall looks for the X.509 digital certificate received from the server and inspects the common name field in the SSL Handshake Protocol."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0
1.)
I ran it in the Lab, and the results were different:
PC ---> TLS Client Hello(server-name=www.linked.com) ---> FW ---> Linkedin (Sent)
Linkedin ---> TLS Server Hello -- FW ----> DROPPED
Application is listed as linkedin-base with action Discard
Certificate from Linkedin is not sent until Linkedin recevices ACK on the TLS Server Hello.
Which i tested on a pc with direct internet access, this contradicts the post from Palo Alto Knowledge Base
2.)
I tested HTTP & HTTPS to battle.net
Note: battle.net is redirect to blizzard.com
With HTTP:
- Dropped and classifed as battle.net in traffic monitor
- HTTP GET is dropped on the firewall side
- Classified as battle.net App-id
With HTTPS:
- Works succesfully and redirected
- Comman Name in the Certificate provided in Server Certificate is www.battle.net - This should be matched by the app-id engine but is listed as an SSL application
My question is, does it use certificate to match the app-id and/or HTTP Get?
How does the actual matching process work and why doesn't work the same across the board?
Software: 7.0.1
Application Version: 497-2688
Thanks guys
