About mvrijsten

mvrijsten · ‎01-11-2021

Hi, We are using SSL Decryption and I only allow SSL traffic for specific URL's and categories which are excluded from SSL Decryption. Palo Alto has it's predefined list with SSL Decryption Exclusions (Device > Certificate Management > SSL Decryption Exclusion). From time to time I go to a website and it is blocked because: - It is predefined in the SSL Decrypt Exclusion list - And it is not allowed by a security rule So now I have a URL Category with a URL List and I have to add this URL manually when I want this site to work. Of course this happens for every URL in the SSL Decrypt list. Since this is the case, it would help if there was a URL Category List which I can use in a security rule which automatically contains all URL's from the SSL Decryption Exclusions list. Is there such an object by default or a way to generate dynamically so it is always in sync?

mvrijsten · ‎11-22-2020

Thanks, that does indeed seem to be the issue. Is there a KB for this to see what URL's I should exclude from decryption?

mvrijsten · ‎11-18-2020

We are rolling out SSL Decryption for a group of test users and we run into an issue with PowerBI Desktop. When we try to login in PowerBI Desktop it fails and shows that it cannot setup a trusted SSL/TLS connection for the sign in. I am looking into my decryption logs, but I cannot find any issues with URL's that might have something to do with PowerBI so I don't know what to exclude to fix this. When I disable ssl decryption, it works OK right away. Is anybody familiar with this issue or able to point me into the right direction to troubleshoot this?

mvrijsten · ‎11-04-2020

Thank you, I think I understand now.

mvrijsten · ‎11-02-2020

@BPry , Yes that is correct. I am trying to ping the WAN IP. But as a check, I just also created a Dest. Nat rule to a internal webserver on this IP and that also does not work. Same issue is happening, so it does not seem to be the issue that it is the WAN IP I am trying to ping. Otherwise it should work with the NAT rule right?

mvrijsten · ‎11-02-2020

We are running PanOS-10.0.2 on our PA-220 and we are having an issue with a PBF rule which seems to be denied even though it should match the traffic. The setup: 2 WAN interfaces: Primary = PPPoE interface on ETH 1/5. Route is added to router when PPPoE is online with metric 10 Secondary = "Normal" interface on ae1.100. Static route is in router with metric 20 For this example, I will use the IP's 1.2.3.4 for Primary and 5.6.7.8 for secondary For both interfaces ping is allowed and there is a PBF rule added with Enforce Symmetric Return: Primary WAN is working fine and failover is going as expected as soon as the PPPoE goes offline. Only issue is when both WAN are online, a ping to the secondary WAN is not working. What happens is: Ping from random WAN IP to 5.6.7.8 No response is received Packet trace shows that the reply is sent over eth1/5 with 5.6.7.8 as source IP Because of the PBF rule I would expect the reply to use the same interface, but instead it seems to ignore this and use the route with lowest metric. Anyone around who has an idea why this is not working?

Member Since	‎02-12-2020 11:54 PM
Date Last Visited	‎08-04-2022 04:07 AM
Posts	6

Online Status	Offline
Date Last Visited	‎08-04-2022 04:07 AM

About mvrijsten

URL Category list with all URLs from SSL Decryption Exclusion

Re: PowerBI Desktop Sign In fails with SSL Decryption

PowerBI Desktop Sign In fails with SSL Decryption

Re: Issue with PBF Symmetric Return

Re: Issue with PBF Symmetric Return

URL Category list with all URLs from SSL Decryption Exclusion

Re: PowerBI Desktop Sign In fails with SSL Decryption

PowerBI Desktop Sign In fails with SSL Decryption

Re: Issue with PBF Symmetric Return

Re: Issue with PBF Symmetric Return

Issue with PBF Symmetric Return