SSL DERYPTION : How to automate URL/domaine decryption Exclusion properly?

L0 Member

SSL DERYPTION : How to automate URL/domaine decryption Exclusion properly?

Use case : Ours users go through Palo alto for internet access. Decryption feaures has been enabled.
When users try to access to internet may failed because the decryption-error.
We need a solution to automate URL SSL decryption exclusion and log urls excluded for review. Perfectly in a dynamics external list or in a custom url category. Theses dynamics objects will be in a no-decript rule.


How can i achieve it ?

Several mai cause errors : Server-error, client-error mainly aout handshake negotiation.
Existing solution :
- Use a feature in the decyption policies to bypass decryptio for decryption errors. However the decryption exclusion happen if only the server answer with a handshake errors, in the others hand we dont have a great visibility on these url exclusion for decryption.
- Use a log forwarding feaure to automate IP decryption and fill the IPs in a dynamics objects. This is not correct because we want to exclude URL and not IP of the server or the hosts.

L7 Applicator

This is a great suggestion, please contact your Palo Alto Networks SE to have a Feature Request filed.

L1 Bithead

So, first of all, I may not be understanding exactly what you're saying is going on, but basically, it sounds like you're getting an error when attempting to access content from https/SSL sites. If that is what is occurring, the cause is because that once you enable decryption, your end devices first attempt to set up an SSL connection with your PA, then your PA sets up an SSL connection with the intended server, or true destination on the internet, allowing for full visibility of the traffic in the path or stream of data. However if your end devices don't have the certificate (verifies the owner of the public key, is who they say they are) created on your firewall, they will not be able to set up the desired SSL connection, and will label any connection as "untrusted" and may even cause sites to be un-reachable altogether. My first question would be, have you used some type of AD push or manual method (depending on the size of your environment) to install your PA SSL Certificate into the trusted certificate stores on your end devices. Also, let me add that for any idevices (iphone, Ipad etc.....) you'll have to create an exception manually, because of the way they've set up their Trusted Certificate Store.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!