I made a quite shocking discovery about PA and how it inspects SSL encrypted traffic. Please correct me if I'm wrong. 1. To allow simple HTTPS web browsing traffic it isn't enough to allow "web-browsing" application in the policy, you must to allow "SSL" application as well, otherwise only HTTP browsing will work, but not HTTPS. 2. All non-HTTP traffic which is encrypted with SLL, but PA hasn't application signature for it (in other words cannot classify it to any known application), is classified as SSL. This means, that if you allow HTTPS browsing you also allow all other SSL encrypted traffic for which PA cannot recognize, (it means any application, which isn't very popular and is using SSL can bypass PA security). So far I couldn't find any way how to allow HTTPS browsing and block unclassified SSL traffic at the same time. I attached screenshot with my logs, where.unrecognized SSL traffic is permitted along with HTTPS traffic and nothing can be done to prevent it. :
... View more