Who rated this post

Hello,

For a period of time, the solution proposed by @dcaporetto worked also for me, but starting with one month ago I start having problems with Anydesk clients. After investigation, the following solution work for my PA:

Update on April 10th, 2024:

Because I saw that there is interest in managing Anydesk traffic through the Palo Alto Networks firewall and the changes from April 2024, I decided to update this. In fact, at least one change in the decryption profile is necessary, that is, to stop verifying the issuer of the certificate because we have no way until we can obtain the new AnyDesk Root CA 2 certificate.

Update 2 on April 10th, 2024: (a big Thank You! for @S-Battermann, because we have now the new AnyDesk Root CA 2 certificate)

1. Unzip the AnyDesk-Root-CA-2.zip attached file
2. Import into firewall the AnyNet Root CA 2 certificate (AnyDesk ROOT CA 2.crt) and marked as Trusted Root CA.
   • 

      

3. Create a service object for TCP 80 and 6568
   • 
4. Create a custom URL list for: 
   • anynet%20relay/
   • anynet%20relay:80/
   • anynet%20relay:6568/
   • anynet relay:6568/
   • anynet relay:80/
   • anynet relay/
   • *.net.anydesk.com/
   • 

      

5. Create a decryption profile with "Block sessions with expired certificates" and "Block sessions with untrusted issuers" checked on No Decryption tab
   • 
6. Create a decryption policy with action of NO-DECRYPT using custom URL categories and services configured above as match criteria and action of NO-DECRYPT
   • 

Note: If your service object includes only destination port 6568, then in your decryption policy you need to include also service-http, on service criteria.