Hello,
I'm trying to figure out any reasons that the decryption exclusion would not be working. As the traffic is being denied:
What could I be doing wrong in my config to have this exception not work?
@CPATT -- So yeah it's definitely a decryption problem, like you mentioned. You've already shown that this traffic should be matching a global decryption exclusion. One thing I'd be curious about is the URL that was seen in the URL logs the same as what's in the exclusion?
From your screenshot there are a couple of things going on that might be worth investigating. First, why is the firewall trying to decrypt it? You'd need to confirm the URL on the exclusion matches the traffic. If it does that might need to be a TAC ticket. You can also try adding the URL to your own "no decrypt" rule and see if that solves your issue. The cert also shows untrusted. Palo has created a nice little easter egg in their decryption process. The firewall needs to have the root and intermediate cert authorities on the firewall in order to successfully decrypt SSL traffic. The fact that the error is saying the cert is untrusted, to me, means the firewall doesn't have this certs full chain hence why it's throwing the error. This error shouldn't be happening though.
You have 2 options, manually add it to a no decrypt, see if it solves your issue. If it does move on? Or if it doesn't or you want further answers you'll need a support case. You could also try making sure the full cert chain (Root & Intermediate) are loaded on the firewall as see if that solves the issue?
@CPATT wrote:
Hello,
I'm trying to figure out any reasons that the decryption exclusion would not be working. As the traffic is being denied:
What could I be doing wrong in my config to have this exception not work?
I don't think this has anything to do with decryption. We'd need to see the larger pop-out window of the log, but the "Deny" action is probably because of a threat profile action or maybe matching a deny action from a URL profile.
--edit--
If this was because of a decryption issue you'd see a "decrypt-error" log message. You can also look at the decryption logs for this particular traffic to see if it is being decrypted (why it is.) You can also add the "Decrypted" column to the traffic log and if = yes, then the traffic is being decrypted.) The log field is something like (has proxy="yes")
My apologies, I should've included more context in the screenshot's here it is:
And the decryption log:
Sorry for the poor resolution on those screenshots here are better ones:
@CPATT -- So yeah it's definitely a decryption problem, like you mentioned. You've already shown that this traffic should be matching a global decryption exclusion. One thing I'd be curious about is the URL that was seen in the URL logs the same as what's in the exclusion?
From your screenshot there are a couple of things going on that might be worth investigating. First, why is the firewall trying to decrypt it? You'd need to confirm the URL on the exclusion matches the traffic. If it does that might need to be a TAC ticket. You can also try adding the URL to your own "no decrypt" rule and see if that solves your issue. The cert also shows untrusted. Palo has created a nice little easter egg in their decryption process. The firewall needs to have the root and intermediate cert authorities on the firewall in order to successfully decrypt SSL traffic. The fact that the error is saying the cert is untrusted, to me, means the firewall doesn't have this certs full chain hence why it's throwing the error. This error shouldn't be happening though.
You have 2 options, manually add it to a no decrypt, see if it solves your issue. If it does move on? Or if it doesn't or you want further answers you'll need a support case. You could also try making sure the full cert chain (Root & Intermediate) are loaded on the firewall as see if that solves the issue?
