Wednesday, December 13, 2023

PANOS decryption tip

I was troubleshooting something with an org a while back where they needed to do decryption for just one "URL", but the  FQDN IP address matching matches numerous sites.

So let's use example.com which has the following;

www.example.com

www.example.net.

www.example.org

and www.example.edu

all map to the same single IP. address; 93.184.216.34

kfelix@kfelixs-MacBook-Air ~ % host www.example.com 

www.example.com has address 93.184.216.34

www.example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.net

www.example.net has address 93.184.216.34

www.example.net has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.org

www.example.org has address 93.184.216.34

www.example.org has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.edu

www.example.edu has address 93.184.216.34

www.example.edu has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % 


So let's say you want to decrypt traffic to www.example.com and not the others. 


Do not use a decryption rule with an IP or FQDN address object in the decryption n rule. 


You should use a "custom URL" list. Here are a few screenshots of how that would look from the web UI


1st the wrong method was deployed ( they had used an address object FQDN ) 




Now the method was changed to use a custom URL list the destination field for IP was left as an ANY.






Now www.exmple.net was not decrypted when user-initiated traffic to that "URL" based on traffic log



But https://www.exmple.com was decrypted when user-initiated traffic to that "URL"









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


No comments:

Post a Comment