Saucepan

User Tools

Site Tools

Trace:
paloaltonetworks:configuration:decryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:decryption [2020/10/01 12:05] bstaffordpaloaltonetworks:configuration:decryption [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 10: Line 10:
 <code>show system setting ssl-decrypt exclude-cache</code> <code>show system setting ssl-decrypt exclude-cache</code>
 To get statistics, run, To get statistics, run,
-<code>debug dataplane show ssl decrypt ssl stats</code>+<code>debug dataplane show ssl-decrypt ssl-stats</code>
  
 To disabled decryption across the whole firewall (WITHOUT COMMITING), run To disabled decryption across the whole firewall (WITHOUT COMMITING), run
Line 45: Line 45:
 =====Decryption Profile===== =====Decryption Profile=====
  
-* Consider appending certificate CN value to SAN extension. +  * Consider appending certificate CN value to SAN extension. 
-* Consider blocking RSA and DHE +  * Consider blocking RSA and DHE 
-* Consider allowing GCM only and SHA256 and higher only. +  * Consider allowing GCM only and SHA256 and higher only. 
-* Strip ALPN for HTTP Header Insertion and Clientless VPN.+  * Strip ALPN for HTTP Header Insertion and Clientless VPN.
  
 Remember, if you want the firewall to actually check the status of certificates, you have to enable that at Remember, if you want the firewall to actually check the status of certificates, you have to enable that at
Line 54: Line 54:
  
 Skype for Business will break if you tick ''block session with unsupported versions''. Skype for Business will break if you tick ''block session with unsupported versions''.
 +
 +Random sites with two certificate chains will break if you tick "block expired certs" if one of the chains expires. This applies even if you only block expired certs on "no decrypt" sites.
  
 =====Get Firefox to Use System CA Store===== =====Get Firefox to Use System CA Store=====
Line 72: Line 74:
 <code>watson.telemetry.microsoft.com <code>watson.telemetry.microsoft.com
 watson.microsoft.com</code> watson.microsoft.com</code>
 +
 +For Chromebooks to access the Internet (Aug 2021)
 +<code>accounts.google.com/
 +chrome.google.com/
 +connectivitycheck.android.com/
 +*.ggpht.com/</code>
 +
 For Cortex XDR Traffic: For Cortex XDR Traffic:
 <code>*.traps.paloaltonetworks.com <code>*.traps.paloaltonetworks.com
Line 288: Line 297:
 To see what SSL/TLS protocls are in use on a server, use this command To see what SSL/TLS protocls are in use on a server, use this command
 <code>nmap --script ssl-enum-ciphers -p 443 1.1.1.1</code> <code>nmap --script ssl-enum-ciphers -p 443 1.1.1.1</code>
 +===== Download Certificate ===== 
 +<code>openssl s_client -showcerts -servername www.example.com -connect www.example.com:443</code>
 ===== Inbound Inspection Limitation ===== ===== Inbound Inspection Limitation =====
  
 Prior to PAN-OS 8.0, Palo could not do inbound inspection on DHE or ECDHE. Prior to PAN-OS 8.0, Palo could not do inbound inspection on DHE or ECDHE.
  
-If you place the Palo between the internet and (say) F5 load balancers that terminated the SSL connections, you may haveto add the following to the cipher configuration of the appliances. +If you place the Palo between the internet and (say) F5 load balancers that terminated the SSL connections, you may have to add the following to the cipher configuration of the appliances. 
-<pre>:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE+AES-GCM:!ECDHE+AES:!ECDHE+3DES</pre>+<code>:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE+AES-GCM:!ECDHE+AES:!ECDHE+3DES</code>
  
 ===== Chrome CN Field ===== ===== Chrome CN Field =====
Line 376: Line 386:
 <code>debug dataplane show ssl-decrypt bitmask-cipher <bitmask-value></code> <code>debug dataplane show ssl-decrypt bitmask-cipher <bitmask-value></code>
  
-    +===== Office365 Certificates ===== 
 +Microsoft list their root and intermediate certificates [[https://docs.microsoft.com/en-gb/microsoft-365/compliance/encryption-office-365-certificate-chains?|here]].
  
 +===== Sophos Decryption Exception =====
 +List of URLs that Sophos excludes from decryption
 +  * adobe.com
 +  * ecure.echosign.com
 +  * agni.lindenlab.com
 +  * atl.citrixonline.com
 +  * authentication.citrixonline.com
 +  * iad.citrixonline.com
 +  * citrixonlinecdn.com
 +  * las.citrixonline.com
 +  * live.citrixonline.com
 +  * ord.citrixonline.com
 +  * sjc.citrixonline.com
 +  * fra.citrixonline.com
 +  * ams.citrixonline.com
 +  * servers.citrixonline.com
 +  * play.google.com
 +  * tpncs.simplifymedia.net
 +  * tpnxmpp.simplifymedia.net
 +  * gotomeeting.com
 +  * icloud.com
 +  * apple.com
 +  * gsa.apple.com
 +  * gsas.apple.com
 +  * itunes.apple.com
 +  * ess.apple.com
 +  * gc.apple.com
 +  * appstore.com
 +  * courier.sandbox.push.apple.com
 +  * swscan.apple.com
 +  * itwin.com
 +  * livemeeting.com
 +  * logmein.com
 +  * secure.logmeinrescue.com
 +  * mozilla.org
 +  * packetix.net
 +  * pgiconnect.com
 +  * softether.com
 +  * telex.cc
 +  * vedivi.com
 +  * vudu.com
 +  * adobelogin.com
 +  * android.com
 +  * bitdefender.com
 +  * bitdefender.net
 +  * books.google.com
 +  * drive.google.com
 +  * cloudmosa.com
 +  * crsi.symantec.com
 +  * central.avsi.symantec.com
 +  * services-prod.symantec.com
 +  * shasta-mr-healthy.symantec.com
 +  * login.norton.com
 +  * nds.norton.com
 +  * stats.norton.com
 +  * zpi.nortonzone.com
 +  * central.nrsi.symantec.com
 +  * ent-shasta-mr-clean.symantec.com
 +  * ent-shasta-rrs.symantec.com
 +  * vip.symantec.com
 +  * tses.symantec.com
 +  * www.nortonzone.com
 +  * dochub.com
 +  * dropbox.com
 +  * dropcam.com
 +  * fedoraproject.org
 +  * informaticacloud.com
 +  * informaticaondemand.com
 +  * infra.lync.com
 +  * activation.sls.microsoft.com
 +  * messenger.live.com
 +  * lr.live.net
 +  * account.live.com
 +  * accounts.mesh.com
 +  * update.microsoft.com
 +  * storage.mesh.com
 +  * sls.microsoft.com
 +  * windowsupdate.microsoft.com
 +  * windowsupdate.com
 +  * phonefactor.com
 +  * logentries.com
 +  * mzstatic.com
 +  * onepagecrm.com
 +  * osdimg.com
 +  * pathviewcloud.com
 +  * periscope.tv
 +  * postlm.com
 +  * postls.com
 +  * two.postls.com
 +  * quip.com
 +  * rhn.redhat.com
 +  * rooms.hp.com
 +  * securewebportal.net
 +  * sharpcast.com
 +  * silentcircle.com
 +  * silentcircle.net
 +  * snapchat.com
 +  * table14.fr
 +  * urlcloud.paloaltonetworks.com
 +  * vagrantcloud.com
 +  * verisign.com
 +  * wdcdn.net
 +  * wiredrive.com
 +  * whatsapp.net
 +  * whispersystems.org
 +  * wildfire.paloaltonetworks.com
 +  * anywhere2.telus.com
 +  * api.twitter.com
 +  * auth.gfx.ms
 +  * auth2.triongames.com
 +  * autoupdate.opera.com
 +  * bitbucket.org
 +  * discordapp.com
 +  * login.kaseya.net
 +  * myquickcloud.com
 +  * notify.mql5.com
 +  * updates.metaquotes.net
 +  * novafusion.ea.com
 +  * owner-api.teslamotors.com
 +  * portal.aws.amazon.com
 +  * secure.hp-ww.com
 +  * softwareupdate.vmware.com
 +  * sp.cwfservice.net
 +  * sso.8x8.com
 +  * vm.8x8.com
 +  * www.origin.com
 +  * sophos.com
 +  * sophosxl.com
 +  * sophosxl.net
 +  * sophosupd.com
 +  * sophosupd.net
 +  * mojave.net
 +  * alert.hitmanpro.com
 +  * tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
 +  * tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
 +  * tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
 +  * tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
 +  * mp.microsoft.com
 +  * wdcp.microsoft.com
 +  * definitionupdates.microsoft.com
 +  * go.microsoft.com
 +  * smartscreen.microsoft.com
 +  * wns.windows.com
 +  * logmeinrescue-enterprise.com
 +  * duosecurity.com
 +  * agentsmith.akamai-access.com
paloaltonetworks/configuration/decryption.1601553950.txt.gz · Last modified: (external edit)