About mr.linus

This is not working for any ip.you cannot dest. NAT any ip to 1 ip ahhh, that's right, I forgot. If i recall correctly Juniper can do this 😉 ... View more

why not just add a destination NAT? source: trust destination: untrust service: DNS => destination NAT to your DNS server now all DNS requests to an external server are routed to your DNS server. Just keep a look out for asymmetric routing. ... View more

I was able to get this to work, but only with a custom category including: *.google.* *.google.*/* google.* google.*/* so this would include mail.google.com, which I guess you don't want... If I put in www.google.* some traffic remains undecrypted, but other is decrypted just like you said. This means that making your own custom category to excluded from decryption does work, but just not always :-s Do you have a support ticket open for this? If so, please keep us informed of the output. ... View more

Hey Dyoung, Seems you were right after all: Official reply from PA: The service route in question is the CRL one. That will apply for both. Since we are having some issues with OCSP I am not able to confirm this from our lab setup, but I guess it is correct. ... View more

Dear Cheon, Since you can not choose a service or application for routes on the right side: it is for all traffic! And it will overrule all settings set on the left. Ex. DNS server and Kerberos server are same server LEFT SIDE: Service: DNS Source Address: MGT RIGHT SIDE: Destination: IP of your kerberos server Source Address: IP of your internal interface => DNS traffic wil NOT use the MGT interface, but hit on the right side route rules and use you internal interface as source... But I guess since its going to the same server you would probably want to use the same source Address, but you never know: something to keep in mind.... Regards, OCSP service route? ... View more

Still waiting for an official Palo Alto reply, but I think I found my answer in the admin guide Service Route Configuration (Continued) For example, if you want to route Kerberos authentication requests on an interface other than the MGT port, you need to configure the Destination and Source Address in the right section of the Service Route Configuration window since Kerberos is not listed in the default Service column. For all services that are not selectable on the left side, you have to configure a route on the right. So i guess this will be the same for OCSP... Ex. Destination: IP of your internal kerberos server Source Address: IP of your internal interface But this setup has some limitations: Since you can not choose a service or application, this route is for all traffic! And it will overrule all settings set on the left. Ex. Service: DNS Source Address: MGT + primary DNS is set to same IP as you kerberos server => DNS traffic wil NOT use the MGT interface, but hit on the right side route rules and use you internal interface as source... ... View more

To answer part of my own question. Apparently you can use openssl to test this: "openssl s_client -connect login.live.com:443 -tls1  -tlsextdebug  -status" Linus ... View more

I have asked Palo Alto directly to confirm this, since I was not able to really pin point the ocsp traffic in my packet captures. I am still waiting for a definitive answer on this. In the mean time, I have another related question/observation: Is there any way of checking if OCSP stapling was used? Is there a way of testing if a certain website is using this? Linus ... View more

Owkey, then it seems my initial understanding of OCSP was somewhat correct and this should not have any impact on ssl decryption. I have opened a tech support case (pointing to this discussion). I will give an update as soon as I have one. Tanx for all the help Greg! Linus ... View more

I know, that is PA ssl decryption 101 🙂 I mean even with the client having the root CA in his trust, we still get all untrusted certificates. (without OCSP the ssl decryption works fine) Looks like the OCSP is not checking the root CA, but is checking if the original certificate (for example facebook) is not revoked... ... View more

Allright, OCSP is not completely clear to me yet. Would you not use it purely for client certificates? And if so, how do you dissable it to check all server certificaes when ssl decryption is enabled. Because when we set this up and we use SSL decryption, we get untrusted warnings for all certificates. To solve this, we would need to configure an OCSP responder for all CA's separately, which obviously is not possible. ... View more