Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:decryption [2020/10/01 08:25] – created bstafford
+++ paloaltonetworks:configuration:decryption [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 10: / Line 10: @@
 <code>show system setting ssl-decrypt exclude-cache</code>
 To get statistics, run,
-<code>debug dataplane show ssl decrypt ssl stats</code>
+<code>debug dataplane show ssl-decrypt ssl-stats</code>
 To disabled decryption across the whole firewall (WITHOUT COMMITING), run
@@ Line 45: / Line 45: @@
 =====Decryption Profile=====
-* Consider appending certificate CN value to SAN extension.
+  * Consider appending certificate CN value to SAN extension.
-* Consider blocking RSA and DHE
+  * Consider blocking RSA and DHE
-* Consider allowing GCM only and SHA256 and higher only.
+  * Consider allowing GCM only and SHA256 and higher only.
-* Strip ALPN for HTTP Header Insertion and Clientless VPN.
+  * Strip ALPN for HTTP Header Insertion and Clientless VPN.
 Remember, if you want the firewall to actually check the status of certificates, you have to enable that at
@@ Line 54: / Line 54: @@
 Skype for Business will break if you tick ''block session with unsupported versions''.
+Random sites with two certificate chains will break if you tick "block expired certs" if one of the chains expires. This applies even if you only block expired certs on "no decrypt" sites.
 =====Get Firefox to Use System CA Store=====
@@ Line 72: / Line 74: @@
 <code>watson.telemetry.microsoft.com
 watson.microsoft.com</code>
+For Chromebooks to access the Internet (Aug 2021)
+<code>accounts.google.com/
+chrome.google.com/
+connectivitycheck.android.com/
+*.ggpht.com/</code>
+For Cortex XDR Traffic:
+<code>*.traps.paloaltonetworks.com
+*.xdr.<region>.paloaltonetworks.com
+app-proxy.<region>.paloaltonetworks.com
+panw-xdr-evr-prod-<region>.storage.googleapis.com
+panw-xdr-installers-prod-us.storage.googleapis.com
+panw-xdr-payloads-prod-us.storage.googleapis.com
+global-content-profiles-policy.storage.googleapis.com
+lrc-<region>.paloaltonetworks.com</code>
 You should also exclude some Skype for Business domains based on [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRbCAK|this page]].
 <code>*.online.lync.com
@@ Line 279: / Line 297: @@
 To see what SSL/TLS protocls are in use on a server, use this command
 <code>nmap --script ssl-enum-ciphers -p 443 1.1.1.1</code>
+===== Download Certificate =====
+<code>openssl s_client -showcerts -servername www.example.com -connect www.example.com:443</code>
 ===== Inbound Inspection Limitation =====
 Prior to PAN-OS 8.0, Palo could not do inbound inspection on DHE or ECDHE.
-If you place the Palo between the internet and (say) F5 load balancers that terminated the SSL connections, you may haveto add the following to the cipher configuration of the appliances.
+If you place the Palo between the internet and (say) F5 load balancers that terminated the SSL connections, you may have to add the following to the cipher configuration of the appliances.
-<pre>:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE+AES-GCM:!ECDHE+AES:!ECDHE+3DES</pre>
+<code>:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE+AES-GCM:!ECDHE+AES:!ECDHE+3DES</code>
 ===== Chrome CN Field =====
@@ Line 367: / Line 386: @@
 <code>debug dataplane show ssl-decrypt bitmask-cipher <bitmask-value></code>
+===== Office365 Certificates =====
+Microsoft list their root and intermediate certificates [[https://docs.microsoft.com/en-gb/microsoft-365/compliance/encryption-office-365-certificate-chains?|here]].
+===== Sophos Decryption Exception =====
+List of URLs that Sophos excludes from decryption
+  * adobe.com
+  * ecure.echosign.com
+  * agni.lindenlab.com
+  * atl.citrixonline.com
+  * authentication.citrixonline.com
+  * iad.citrixonline.com
+  * citrixonlinecdn.com
+  * las.citrixonline.com
+  * live.citrixonline.com
+  * ord.citrixonline.com
+  * sjc.citrixonline.com
+  * fra.citrixonline.com
+  * ams.citrixonline.com
+  * servers.citrixonline.com
+  * play.google.com
+  * tpncs.simplifymedia.net
+  * tpnxmpp.simplifymedia.net
+  * gotomeeting.com
+  * icloud.com
+  * apple.com
+  * gsa.apple.com
+  * gsas.apple.com
+  * itunes.apple.com
+  * ess.apple.com
+  * gc.apple.com
+  * appstore.com
+  * courier.sandbox.push.apple.com
+  * swscan.apple.com
+  * itwin.com
+  * livemeeting.com
+  * logmein.com
+  * secure.logmeinrescue.com
+  * mozilla.org
+  * packetix.net
+  * pgiconnect.com
+  * softether.com
+  * telex.cc
+  * vedivi.com
+  * vudu.com
+  * adobelogin.com
+  * android.com
+  * bitdefender.com
+  * bitdefender.net
+  * books.google.com
+  * drive.google.com
+  * cloudmosa.com
+  * crsi.symantec.com
+  * central.avsi.symantec.com
+  * services-prod.symantec.com
+  * shasta-mr-healthy.symantec.com
+  * login.norton.com
+  * nds.norton.com
+  * stats.norton.com
+  * zpi.nortonzone.com
+  * central.nrsi.symantec.com
+  * ent-shasta-mr-clean.symantec.com
+  * ent-shasta-rrs.symantec.com
+  * vip.symantec.com
+  * tses.symantec.com
+  * www.nortonzone.com
+  * dochub.com
+  * dropbox.com
+  * dropcam.com
+  * fedoraproject.org
+  * informaticacloud.com
+  * informaticaondemand.com
+  * infra.lync.com
+  * activation.sls.microsoft.com
+  * messenger.live.com
+  * lr.live.net
+  * account.live.com
+  * accounts.mesh.com
+  * update.microsoft.com
+  * storage.mesh.com
+  * sls.microsoft.com
+  * windowsupdate.microsoft.com
+  * windowsupdate.com
+  * phonefactor.com
+  * logentries.com
+  * mzstatic.com
+  * onepagecrm.com
+  * osdimg.com
+  * pathviewcloud.com
+  * periscope.tv
+  * postlm.com
+  * postls.com
+  * two.postls.com
+  * quip.com
+  * rhn.redhat.com
+  * rooms.hp.com
+  * securewebportal.net
+  * sharpcast.com
+  * silentcircle.com
+  * silentcircle.net
+  * snapchat.com
+  * table14.fr
+  * urlcloud.paloaltonetworks.com
+  * vagrantcloud.com
+  * verisign.com
+  * wdcdn.net
+  * wiredrive.com
+  * whatsapp.net
+  * whispersystems.org
+  * wildfire.paloaltonetworks.com
+  * anywhere2.telus.com
+  * api.twitter.com
+  * auth.gfx.ms
+  * auth2.triongames.com
+  * autoupdate.opera.com
+  * bitbucket.org
+  * discordapp.com
+  * login.kaseya.net
+  * myquickcloud.com
+  * notify.mql5.com
+  * updates.metaquotes.net
+  * novafusion.ea.com
+  * owner-api.teslamotors.com
+  * portal.aws.amazon.com
+  * secure.hp-ww.com
+  * softwareupdate.vmware.com
+  * sp.cwfservice.net
+  * sso.8x8.com
+  * vm.8x8.com
+  * www.origin.com
+  * sophos.com
+  * sophosxl.com
+  * sophosxl.net
+  * sophosupd.com
+  * sophosupd.net
+  * mojave.net
+  * alert.hitmanpro.com
+  * tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
+  * tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
+  * tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
+  * tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
+  * mp.microsoft.com
+  * wdcp.microsoft.com
+  * definitionupdates.microsoft.com
+  * go.microsoft.com
+  * smartscreen.microsoft.com
+  * wns.windows.com
+  * logmeinrescue-enterprise.com
+  * duosecurity.com
+  * agentsmith.akamai-access.com