Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About cryptochrome
About cryptochrome
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
06-22-2018
84Posts
1Like
1Solution
Jun 22, 2018Last Visited
User
Activity
User
Profile
Latest posts by cryptochrome
| Subject | Views | Posted |
|---|---|---|
| 4031 | 07-27-2013 02:46 AM | |
| 1097 | 07-09-2013 11:17 PM | |
| 1097 | 07-09-2013 12:27 PM | |
| 1096 | 07-09-2013 12:14 PM | |
| 1097 | 07-09-2013 11:05 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 07-09-2013 11:02 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 2 | |||
| 2 | |||
| 4 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 07-01-2012 02:49 AM |
| Date Last Visited | 06-22-2018 08:30 AM |
| Total Messages Posted | 84 |
| Total Likes Received | 1 |
07-27-2013
02:46 AM
I have the same issue. Obviously something is wrong with the current Content update. WTF? Is there no quality control? Which version should we install to get around this? If we install an older version, the firewall will auto-update to the broken version unless we disable auto-update.
... View more
07-09-2013
11:17 PM
- it also affects Android's chrome browser, which is also based on WebKit, just like mobile Safari. Would be interesting to find out whether it also applies to desktop Safari.
... View more
07-09-2013
12:14 PM
Interesting. Thanks Mikand. Let's see what PAN support has to say about this.
... View more
07-08-2013
11:58 PM
Hi Mikand, thanks for the detailed instructions. Actually, I already did all of that except for the tcpdumps. The decryption policy is definitely ok (else it wouldn't decrypt the non-iPhone sessions). We also have a decryption profile that specifically blocks unsupported versions/ciphers and if ressource is unavailable. This means these sessions are supposed to blocked, but they are not. They are just not being decrypted. What bugs me the most is that there is simply no information on the box about what's going on. At least not obvious. The traffic log is not helpful at all, since all it tells me is whether a session was decrypted or not. It doesn't tell me why. There is nothing in the system logs either. The exclude-cache is empty. I love PAN, but in this area they need to improve. A lot. I am going to ask the customer to send me the server's certificate so I can check whether it uses Diffie Hellman. That's about the only thing left I can think of as a culprit.
... View more
07-08-2013
11:25 PM
Hi Nadir, thanks for the help. In fact, when I tried mobile Firefox the session was decrypted just fine. Using Google Chrome (Android) or mobile Safari (iPhone) the session would not get decrypted. Looks like an issue with Webkit based browsers. HOWEVER: There is nothing related in the certificate list you get when issuing the ' show system setting ssl-decrypt exclude-cache ' command. The webserver's certificate does not show up in that list. What I also don't understand: If there is a problem with ciphers, why can I connect to the webserver using iPhone/Android just fine? The browser seems to be encrypting the session without a problem. It's the firewall that does not decrypt.
... View more
07-08-2013
01:19 PM
How can I see that on the firewall? Where are incompatibilities being logged? Will try...
... View more
07-08-2013
12:10 PM
Hi there, we just configured our first SSL Inbound decryption, but we have some trouble and need help troubleshooting it. Very simple setup: Webserver in DMZ zone Firewall policy: from:untrust to:dmz; src:any; dst:webserver; app:ssl,web-browsing; service:service-http(s); action:allow Decryption policy: from:untrust to:dmz; src:any; dst:webserver; action:decrypt The webserver's certifictate and key have been imported to the firewall. Accessing the webserver from an external PC: Traffic gets decrypted perfectly. Accessing the webserver from an iPhone and from and Android device: Traffic is *not* being decrypted. In all cases the source IPs were completely random and are not subject to any firewall rule. This is reproducible and I tried to find out why it would decrypt in one case but not in another. Any ideas? Is there a way I can troubleshoot this other than looking at the traffic logs, which don't contain any helpful information? Thanks
... View more
Labels:
06-25-2013
01:22 PM
Thanks. Just for clarification: Isn't certificate revocation checking decoupled from decryption? Meaning, even if I bypass Google from decryption, wouldn't the certificate checks still jump in? Or are these settings only used in tandem with decryption?
... View more
06-25-2013
12:02 PM
Hello Nadir, we are running 5.0.4. And I am seeing the same error messages in sslmgr.log that are described in the other discussion you linked to. So it's safe to assume we are hitting this bug as well. I will try to turn off OCSP checks. If I understand the bug correctly, it's only happening after turning on OCSP. What do you think? Thanks Sascha
... View more
06-24-2013
01:54 PM
As I said earlier, regarding to my system logs, there are no issues with retrieving the CRL lists. There is no timeout, and Google is the only destination that's affected. The "timeout" in the error message is indeed strange, but sometimes we get no error message at all. Thanks!
... View more
06-24-2013
10:32 AM
Thanks, but it's not a problem of being blocked by firewall policy. It's a problem with the PAN checking Google's certificates. See this: As I wrote above, it must have something to do with checking CRL/OCSP in Device -> Service -> Session -> Decryption Certificate Revocation Settings. If we disable the checks, it works fine.
... View more
06-24-2013
10:12 AM
Hi, we have some trouble with a lot of Google sites when we enable SSL decryption and also enable CRL and OCSP checks. We either get no response at all, or error messages like the one in the attached screenshot. If we disable the CRL/OCSP checks (which is undesirable I guess), then we have no problems at all. Google is the only destination we have these problems with and regarding to the system logs, the CRL list retreival is working fine. Any ideas? Thanks Sascha
... View more
Labels:
06-21-2013
10:57 AM
thanks :smileygrin:
... View more
06-21-2013
10:52 AM
Hi, I just noticed two traffic log entries that had packet captures attached. I didn't enable this anywhere, and just to make sure, I just went through the whole config (all profiles) to make sure I didn't enable it by accident. Are thre any circumstances in which the firewall would take pcaps on it's own? If not, what keyword should I grep for in the config file to find out where pcaps are enabled? Thanks
... View more
Labels:
06-20-2013
12:54 AM
Oh I understood your second sentence, jvalentine. My reply about not quite getting it was directed at panos (first reply in the thread). Thanks everyone. I get it now. I am going to use profiles.
... View more
06-20-2013
12:52 AM
Thanks all. Makes sense. Interesting point about Diffie-Hellman though!
... View more
06-19-2013
12:29 PM
I am not looking for a guide on how to configure it, there are plenty. What I want to know is how SSL inbound decryption works from an architectural point of view. In the docs it says that once you loaded the webserver's certificate onto the PAN device and enable inbound decryption, the traffic between client and server remains untouched. How is this done? Is the PAN working like a reverse proxy, e.g. the client connection is actually terminated on the PAN firewall and not the webserver behind it?
... View more
- Tags:
- ssl
Labels:
06-19-2013
11:56 AM
Thanks, jvalentine. Good point about no proper response pages when using categories in a block rule directly. Is this verified? As for the rest of you response: Great, thanks. That helped a lot.
... View more
06-19-2013
11:54 AM
Thanks. Can you rephrase your second sentence? I am not quite getting it
... View more
06-19-2013
10:39 AM
Hi, there are two ways to select which URL categories should be allowed/blocked: You can either create a URL-Filtering profile and attach it to firewall rules, or you can specify URL-categories directly in the firewall rule (destination). Specifying URL categories directly in the firewall rule seems to have the advantage that you can immediately see which categories you allow/block directly in the rulebase, without looking into the profiles. Then again, using profiles seems to have the advantage that you can specify more actions (override, alarm etc.). What's the general approach here? Why would you choose one over the other? And what would happen if I would combine both approaches? e.g. Specify some destination URL categories in a firewall block rule and then add a profile that allows and logs all categories? Which takes precedence? Is it even possible to combine in such a way? Thanks for your thoughts!
... View more
Labels:
06-14-2013
01:55 PM
Excellent, thank JV. I think I am going for dedicated cleanup rules in each zone-context to get more details. Thanks!
... View more
06-14-2013
12:52 PM
Thanks Greg, that makes sense. I am going to try that out. One more question: If it is recommended to not use any cleanup rules at all and you effectively turn off all logging for dropped packets that way, how does this impact reporting and the ACC?
... View more
06-14-2013
10:51 AM
Hi, when I have a global clean-up rule that blocks/logs all unwanted traffic, my firewall management traffic (DNS lookups, PAN-DB updates etc) stop working if I configure it to use any other interface but the dedicated management ports. So I added a lot of rules to allow this traffic. Which is really not what I want. I also see inconsistencies. For example, SMTP traffic from the firewall (for sending alarm emails) seems to work without having a security rule for it (destination is directly connected inside a DMZ), while PAN-DB lookups (to the internet) need a security rule. Same for DNS. This is really confusing and inconsistent. Are there any guidelines or best practices on how to set this up? Thanks
... View more
Labels:
06-03-2013
11:47 PM
Thanks guys. However, my questions remain. If Dropbox client can not be decrypted, what is the proper way of excluding it? See my opening post. It used to be on the internal exclude-list but that doesn't seem to be true anymore. Why was it removed? How do you exclude it properly?
... View more
06-02-2013
08:29 AM
Hi, what is the current "state" with PAN firewalls when it comes to decrypting Dropbox traffic? I found a lot of threads on the forum, some with contradicting information. It was said that Dropbox was put on an internal ssl-exclude list so the firewall wouldn't decrypt it, in a later post it was said it has been removed from the list again. Generally, the information is quite old. In yet another post it was suggested to put *.dropbox.com into the ssl-exclude list manually. Confusing.... I tried decrypting Dropbox but I failed. The Dropbox client reports it is unable to establish a secure connection, so I figure there are still issues? What is the current situation? Can Dropbox be decrypted? If not, what is the proposed way of excluding it (custom URL category with *.dropbox.com? put *.dropbox.com in the ssl-exclude-cert list?)? Thanks
... View more
Labels:
06-01-2013
06:27 AM
Hi, as far as I understand Anti-Spyware profiles, the DNS options will find DNS lookups to known malware sites. How exactly does this work? Will the actual DNS lookup be blocked or will the client's access to the site be blocked? Quote from the documentation: Additionally, hosts that perform DNS queries for malware domains will appear in the botnet report. DNS signatures are downloaded as part of the antivirus updates. What if hosts use an internal DNS server? That would result in only the DNS server showing up in the botnet report? Thanks
... View more
- Tags:
- anti-spyware
Labels:
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-22-2018
08:30 AM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
