Академический Документы
Профессиональный Документы
Культура Документы
LiveCommunity
Topics Resources
Configuration Articles
Customer Advisory: Read the notice on PAN-OS SSL Certificate Expiration.Click Here >
Community Search
Authentication (24)
Labels: Objects & Security Profiles, Panorama
Certificates (20)
GlobalProtect (50)
Hardware (13)
Logs (53)
Management (182)
Migration (1)
NAT (33)
Network (142)
Panorama (40)
Policies (81)
Next
However, once SSL Decryption is configured, the firewall can decrypt SSL sessions and identify the underlying application as web-
browsing.
Contributors
This session is still over TCP/443, but the configured security rule (containing application web-browsing, service application-default)
goku123
does not match due to TCP/443 not being included in the default port range for application web-browsing, which means the session is
denied due to implicit deny.
4350webbrowsingDISCARDFLOW*NS192.168.129.207[2514]/L3Trust/6(172.17.128.129[7301])
vsys1171.161.202.100[443]/L3Untrust(171.161.202.100[443])
Resolution
There are two ways to resolve this issue:
1. Either change the current rule to permit service any and allowing web-browsing signature to scan over TCP/443 allowing the
session to match the decrypted session. Recommendations
https://live.paloaltonetworks.com/t5/ConfigurationArticles/AfterConfiguringSSLDecryptionWebBrowsingSessionsDoNot/tap/53040 1/4
1/21/2016 AfterConfiguringSSLDecryption,WebBrowsingSes...LiveCommunity
2. Clone existing rule, leaving only application web-browsing and allow service service-http and service-https.
Video Tutorial: How to
Once the above changes are made, the sessions will match desired rule and show up as Active: Configure SSL Decryption
4373webbrowsingACTIVEFLOW*NS192.168.129.207[2528]/L3Trust/6(172.17.128.129[4471])
vsys1171.161.202.100[443]/L3Untrust(171.161.202.100[443]) How to Configure Captive
owner: achitwadgi Portal
Article Options
Hide Comments
Comments
by cryptochrome on
06-24-2013 12:51 PM
What if we put "ssl" in the same rule as "web-browsing" and keep service "application-default" enabled? We now should have Port 80
and 443 allowed (application-default HTTP=80, SSL=443). I just tried that and it doesn't work, which seems rather odd.
Permalink
by goku123 on
06-24-2013 01:16 PM
"application-default" would still try to match on port 80 for web-browsing since that is the default port in the app definition for web
browsing.
If you would like to use web-browsing & SSL applications in the same rule then you can add the services: 'service-http' and 'service-
https' to the rule instead of application-default. This will allow web-browsing & ssl on both 443 & 80.
Permalink
by cryptochrome on
06-24-2013 01:52 PM
Sorry, but I still don't understand. Why would it still match on port 80 if I also have ssl in the same rule? Doesn't the service "application-
default" apply to all the apps I have selected in the rule?
Source: Any
Destination: Any
Apps: web-browsing, ssl
Service: application-default
Shouldn't this be the exact same thing as:
Source: Any
Destination: Any
Apps: web-browsing, ssl
Service: service-http, service-https
Because in this case application-default would be 80+443 (because I have both apps in the same rule).
??? This is really odd.
Permalink
by goku123 on
06-24-2013 02:02 PM
Following is the corresponding dataplane view of the policies configured: #1 is web-browsing,ssl: App default. #2 is web-browsing,ssl:
service http, service https:
As you see from the output, 'app-default' applies corresponding default ports to the application. This makes it easier when you would
like to allow multiple applications for the same source eg you would want to allow smtp & web browsing for one PC, yet ensure that the
https://live.paloaltonetworks.com/t5/ConfigurationArticles/AfterConfiguringSSLDecryptionWebBrowsingSessionsDoNot/tap/53040 2/4
1/21/2016 AfterConfiguringSSLDecryption,WebBrowsingSes...LiveCommunity
PC sends out email & web traffic only on their corresponding ports, choosing app-default would make this very simple to manage.
#1
appdef {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
category any;
application/service [ ssl/tcp/any/443 web-browsing/tcp/any/80 ];
action allow;
terminal yes;
}
#2
srvc {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
user any;
category any;
application/service [ ssl/tcp/any/443 ssl/tcp/any/80 ssl/tcp/any/8080 web-browsing/tcp/any/443 web-browsing/tcp/any/80
web-browsing/tcp/any/8080 ];
action allow;
terminal yes;
}
Permalink
by cryptochrome on
06-24-2013 02:20 PM
Ok, now that makes more sense, thanks a lot for those details.
But why isn't the first rule matched, if SSL is allowed on port 443? Is it because after decryption, the application is no longer SSL but
instead shifts to web-browsing?
Permalink
by goku123 on
06-24-2013 04:48 PM
Correct.. the appID shifts from SSL->web browsing, however the connection is still on port 443. 443 is not included in 'app-default' for
web-browsing.
Permalink
by cryptochrome on
06-24-2013 11:28 PM
Ok, I got it. Thanks for taking the time to lay this out for me, much appreciated! :smileyhappy:
Permalink
Copyright 2007 - 2015 - Palo Alto Networks Privacy Policy Terms of Use
https://live.paloaltonetworks.com/t5/ConfigurationArticles/AfterConfiguringSSLDecryptionWebBrowsingSessionsDoNot/tap/53040 4/4