About essnet

Hello, I don't trust them but : If I trust their CA, they could sign anything that my user would think is leggit website. And I am 100% sure that they don't take any special measures to protect their CAs . I still want websites to remain untrusted for browser, which is not possible if PA trusts their CA. "Otherwise you can add excludes to a "whitelist" in the PA (listed at List of Applications Excluded from SSL Decryption )" <-- doing such thing means that hackers will get the habbit to use websites that are like  site1.gov.co.uk with selfsigned certicates because they know they aren't inspected : applications ignored by SSL Decryption in this case aren't checked against known CAs Usually , tools provided by these organization are checking that the certificate of website/webapp is signed by their internal CA. Also, these tools are often using Client certificates , which makes Decryption impossible. For all these reasons, the only viable possibility is to allow to ignore SSL Decryption when cert is signed by a list third party CA that would be fed by customer. Decryption Policy panel and stack needs a real big revamp to be usable (in addtion of TLS proper implementation) ... View more

Yes you got it right. GlobalProtect Client for Internet Gateways and Portal might be the answer you are looking for. ... View more

URL category won't be unknown : it reads URL hostname (not real url which is encrypted) from certificate itself that passes trough, so it will  see *.google.com. If you are using Macs, then consider GlobalProtect Portal with agents installed on corporate computers. ... View more

May be an hidden one, all you can do is to select an interface, no option do provide a mac/ip. ... View more

When visiting SSL (HTTPS) you can only 'cut' connection if you don't decrypt it, you cannot provide nice warning/error message. If you are using Windows accounts for login and don't have many remote offices, UserAgent is very quick to setup and you can forget CP forever. ... View more

my guess : 1 - PBF because PBF can change destination Zone/internface 2 - NAT for same reasons 3 - App override because Security policy can rely on it 4 - CP 5 - Security (finally 6 - Decryption Note that some layers are so connected, I wouldn't be surprised to know that they depend on each other. ... View more

Objects -> Logging Profiles -> SNMP Traps/Syslog Apply new profile to the rules you wish and also in Device->Log Settings->System Works great here. ... View more

If other browsers aren't complaining about Certificates, it means that they aren't being concerned by SSL decryption rule (so they aren't using HTTPS?) Again, I think that if you want to make sure, you should get 1 Wireshark network capture for each browser, you will get a quick and 100% sure answer. ... View more

The very first connection of your browser of the one that counts : is it possible that you open HTTP instead of HTTPS with Chrome while not with IE and FF ? In my company, Chrome defaults connection Google with HTTPS . If you take a Wireshark trace (1 for each browser) you will see what kind of connection is doing each browser. For SSL Decryption : yes get errors if you don't invest a lot of time to set it up propely. ... View more

Your rule "from Trust VLAN 20    -> to Untrust any      any      services http/https/ftp      captive-portal" will be ignored on SSL (HTTPS) if you don't have SSL Decryption enabled. ... View more

Did you enable SSL Decryption ? If not, when HTTPS is used, CaptivePortal will be ignored ... View more

In most contexts, I would say these 4 alerts should be ignored, so disabled. ... View more

Signatures must be created (lots of engineering) and tested to avoid blocking legit content. So far PaloAlto has been very responsive with 0days and provided updates out of usual "Tuesday morning" weekly patch. ... View more