1/21/2016 AfterConfiguringSSLDecryption,WebBrowsingSes...

LiveCommunity

Sign In Get Support

Topics Resources

Live > Topics > Configuration > Configuration Articles >

Configuration Articles
Customer Advisory: Read the notice on PAN-OS SSL Certificate Expiration.Click Here >

Community Search

After Configuring SSL Decryption, Web Browsing Sessions Do Not Labels

Match the Configured Policy App-ID (12)
by goku123 on
10-27-2012 08:05 AM (2,785 Views)

Authentication (24)
Labels: Objects & Security Profiles, Panorama
Certificates (20)

Symptoms Cloud (2)

An SSL decryption policy has been put in place but now websites that start as HTTP and switch to HTTPS aren't loading properly
anymore. Configuration (404)

Issue Decryption (3)

Security rule originally was set to allow application SSL and web-browsing and service application-default.
Endpoint (1)

GlobalProtect (50)

Hardware (13)

High Availability (23)

Service Application-default forces the App-ID match only on the ports that are defined as default ports under the applications.
Integration (4)
The default service for application web-browsing is TCP/80.
Learning (12)

Logs (53)

Management (182)

Migration (1)

NAT (33)

Network (142)

Objects & Security Profiles (102)

Panorama (40)

Policies (81)

Next

However, once SSL Decryption is configured, the firewall can decrypt SSL sessions and identify the underlying application as web-
browsing.
Contributors
This session is still over TCP/443, but the configured security rule (containing application web-browsing, service application-default)
goku123
does not match due to TCP/443 not being included in the default port range for application web-browsing, which means the session is
denied due to implicit deny.
4350webbrowsingDISCARDFLOW*NS192.168.129.207[2514]/L3Trust/6(172.17.128.129[7301])
vsys1171.161.202.100[443]/L3Untrust(171.161.202.100[443])
Resolution
There are two ways to resolve this issue:
1. Either change the current rule to permit service any and allowing web-browsing signature to scan over TCP/443 allowing the
session to match the decrypted session. Recommendations
https://live.paloaltonetworks.com/t5/ConfigurationArticles/AfterConfiguringSSLDecryptionWebBrowsingSessionsDoNot/tap/53040 1/4
1/21/2016 AfterConfiguringSSLDecryption,WebBrowsingSes...LiveCommunity
2. Clone existing rule, leaving only application web-browsing and allow service service-http and service-https.
Video Tutorial: How to
Once the above changes are made, the sessions will match desired rule and show up as Active: Configure SSL Decryption
4373webbrowsingACTIVEFLOW*NS192.168.129.207[2528]/L3Trust/6(172.17.128.129[4471])
vsys1171.161.202.100[443]/L3Untrust(171.161.202.100[443]) How to Configure Captive
owner: achitwadgi Portal

SSL decryption resource list

Everyone's Tags: appid applications decyption doc-4039 security_policy View All (7)

0 PAN-OS 7.0 Web Interface

Reference Guide (English)

How to Configure a Decrypt

Did you find this article helpful? Yes No
Mirror Port on PAN-OS 6...

Article Options

Hide Comments

Comments

by cryptochrome on
06-24-2013 12:51 PM

What if we put "ssl" in the same rule as "web-browsing" and keep service "application-default" enabled? We now should have Port 80
and 443 allowed (application-default HTTP=80, SSL=443). I just tried that and it doesn't work, which seems rather odd.

Permalink

by goku123 on
06-24-2013 01:16 PM

"application-default" would still try to match on port 80 for web-browsing since that is the default port in the app definition for web
browsing.
If you would like to use web-browsing & SSL applications in the same rule then you can add the services: 'service-http' and 'service-
https' to the rule instead of application-default. This will allow web-browsing & ssl on both 443 & 80.

Permalink

by cryptochrome on
06-24-2013 01:52 PM

Sorry, but I still don't understand. Why would it still match on port 80 if I also have ssl in the same rule? Doesn't the service "application-
default" apply to all the apps I have selected in the rule?
Source: Any
Destination: Any
Apps: web-browsing, ssl
Service: application-default
Shouldn't this be the exact same thing as:
Source: Any
Destination: Any
Apps: web-browsing, ssl
Service: service-http, service-https
Because in this case application-default would be 80+443 (because I have both apps in the same rule).
??? This is really odd.

Permalink

by goku123 on
06-24-2013 02:02 PM

Here is the screenshot of the policy view in GUI:

Following is the corresponding dataplane view of the policies configured: #1 is web-browsing,ssl: App default. #2 is web-browsing,ssl:
service http, service https:
As you see from the output, 'app-default' applies corresponding default ports to the application. This makes it easier when you would
like to allow multiple applications for the same source eg you would want to allow smtp & web browsing for one PC, yet ensure that the

https://live.paloaltonetworks.com/t5/ConfigurationArticles/AfterConfiguringSSLDecryptionWebBrowsingSessionsDoNot/tap/53040 2/4
1/21/2016 AfterConfiguringSSLDecryption,WebBrowsingSes...LiveCommunity
PC sends out email & web traffic only on their corresponding ports, choosing app-default would make this very simple to manage.
#1
appdef {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
category any;
application/service [ ssl/tcp/any/443 web-browsing/tcp/any/80 ];
action allow;
terminal yes;
}
#2
srvc {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
category any;
application/service [ ssl/tcp/any/443 ssl/tcp/any/80 ssl/tcp/any/8080 web-browsing/tcp/any/443 web-browsing/tcp/any/80
web-browsing/tcp/any/8080 ];
action allow;
terminal yes;
}

Permalink

by cryptochrome on
06-24-2013 02:20 PM

Ok, now that makes more sense, thanks a lot for those details.
But why isn't the first rule matched, if SSL is allowed on port 443? Is it because after decryption, the application is no longer SSL but
instead shifts to web-browsing?

Permalink

by goku123 on
06-24-2013 04:48 PM

Correct.. the appID shifts from SSL->web browsing, however the connection is still on port 443. 443 is not included in 'app-default' for
web-browsing.

Permalink

by cryptochrome on
06-24-2013 11:28 PM

Ok, I got it. Thanks for taking the time to lay this out for me, much appreciated! :smileyhappy:

Permalink

Latest Blogs Events Connect

Palo Alto Networks lauded for Join Fuel at Spark User Summit Boston
outstanding customer support by TSIA on 18 December 2015
and J.D. Power

The Technology Services Industry Associa...
Join Fuel at Spark User Summit
Amsterdam on 16 December 2015
Week 3 recap Join Fuel User Group in Amsterdam for a ...
https://live.paloaltonetworks.com/t5/ConfigurationArticles/AfterConfiguringSSLDecryptionWebBrowsingSessionsDoNot/tap/53040 3/4
1/21/2016 AfterConfiguringSSLDecryption,WebBrowsingSes...LiveCommunity
Can you ever let your guard down? Don't ... Join Fuel at Spark User Summit Sydney
on 9 December 2015
Week 2 recap
Making 2016 better than 2015 is all abou...

Copyright 2007 - 2015 - Palo Alto Networks Privacy Policy Terms of Use

https://live.paloaltonetworks.com/t5/ConfigurationArticles/AfterConfiguringSSLDecryptionWebBrowsingSessionsDoNot/tap/53040 4/4