We've been having some issues with websites like DropBox, Hightail etc since configuring SSL Decryption. I believe this relates to a security technique called "Certificate Pinning". I've resolved the issue by adding the "Online Storage & Backup" URL category into a no-decrypt policy but it concerns me that opening up the entire category is a risk and could result in unwanted content entering our network.
We have a large number of suppliers who send product related files to us using applications like DropBox but because they don't use a common platform these files can come from a number of different file sharing sites. This makes it tricky to use a custom URL category. Additionally there are a high number of internal users who need to access the files for download. So restricting access down to a select few isn't going to work.
I'd like to find out if others have had this issue and how they mitigated the risk. I don't think I'm going to be able to eliminate the risk but if I can reduce it then I will be much happier.
I'm still only fairly new to PA's so maybe just my inexperience is not allowing me to resolve this.
Appreciate anyone's thoughts!
... View more
I have a perplexing problem with allowing DNS traffic from internal to the internet on our new PA-3020 running 7.0.3.
We have 2 DNS servers in our datacentre on the same subnet that perform queries to a couple of external DNS servers provided by our telco.
I have a rule allowing traffic from the 2 IP's (Internal Zone) for our DNS servers out to the internet (any) on UDP port 53
One server is successfully using this rule but the other server bypasses the rule and gets blocked by the explicit deny at the bottom. The traffic log shows the correct port (53) but the application is "not-applicable". I've tried the following "application/service" settings but there is no change to the issue:
Application: any Service UDP 53
Application: dns Service: application-default
Application: dns Service UDP 53
I've done packet captures on the server that's not working and the destination port for the traffic is UDP 53 so I'm at a real loss to know why this is happening. Can anyone assist me here please?
... View more