01-29-2021 01:39 PM
@nreynders wrote:
Last year I implemented a rule to allow users in my company access to the reddit.com site. It is in our company policy to disallow sharing messages on social media, so I implemented this rule with URL filtering (chat/messages/etc...) and only allowing the appid "reddit-base", not "reddit-posting". This worked at the time, and has stopped functioning properly some time in the past year.
Now, users are still limited from messaging/chat/etc... but can post comments and new threads on the site.
This relates to SSL decryption as I was digging down the rabbit-hole and think that the "reddit-posting" appid has switched over to "web-browsing". I was wondering :
1. If I implement SSL decryption on reddit, will it pick up the "reddit-posting" appid again?
2. Why do I no longer see "reddit-posting" in my logs?
3. What can SSL decryption do--or can't do--to help me solve this issue?
4. Is this a more-so a question about how PA identifies appids for reddit?
When you built the policy last year and it worked with the proper APP-ID being identified had SSL decryption been configured? In general the answer is always going to be, yes, to ensure proper application of policy and identify traffic as the right APP-ID SSL decryption will always be looked at needing to be deployed. SSL decryption breaks open the SSL/TLS packets exposing the encrypted payload. APP-ID is going to be based on being able to properly see a packets contents/payload. So if the packet is encrypted there's certainly going to be a limitation of Palo's ability to apply the correct application to traffic traversing the firewall.
