Palo Alto Networks Knowledgebase: Decrypting Traffic from Google Drive Client Software Breaks Connection

Decrypting Traffic from Google Drive Client Software Breaks Connection

8325
Created On 02/08/19 00:01 AM - Last Updated 02/08/19 00:01 AM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Issue

When using the Google Drive client software with decryption enabled on the Palo Alto Networks firewall, the connection breaks and the Google Drive software does not synchronize files to the cloud.

 

Cause

The Palo Alto Networks firewall does not identify Google Drive client software as "Google Drive" through the application database. Instead, this traffic is identified as "SSL." If decryption is enabled on the Palo Alto Networks firewall for SSL traffic, the traffic generated by the Google Drive Client application fails decryption. This is because when SSL Decryption is enabled, the Palo Alto Networks device receives the external site's certificate and sends its own self-signed certificate to the end client. When the client encrypts the traffic using this certificate, the Palo Alto Networks device can decrypt, inspect, then encrypt the traffic using the real certificate of the website.

 

When the Google Drive client software, installed on a desktop, attempts to connect to the Google server, it expects to receive a valid certificate from the Google server. With SSL decryption enabled, the Google Drive client receives an untrusted certificate from the Palo Alto Networks device and the connection ultimately fails.

 

Resolution

There are two options as a workaround to resolve this issue:

  • Configure a no-decrypt policy with a custom url category for the Google Drive website. Now the firewall is configured so that any traffic going to Google Drive site bypasses decryption.
  • Run the Google Drive client software with the unsafe_network flag enabled, so that it accepts untrusted certificates.
    1. Open the Google Drive menu on the desktop and select Quit Google Drive.
    2. Start the command line by running cmd.exe.
    3. On the command line, navigate into the Google Drive folder.
    4. On a 32-bit system, the folder is at <C:\Program Files\Google\Drive>.
    5. On a 64-bit system, the folder is at C:\Program Files (x86)\Google\Drive.
    6. C:\Program Files (x86)\Google\Drive>googledrivesync.exe --unsafe_network
      Capture.JPG

The Google Drive software client synchronizes after a few minutes.

Note: For this option, each time the Google Drive client is opened, it must be started in this mode from the command prompt. If there are many users in the network, running Google Drive client in this mode for everyone can become a complex task. For this reason, consider running a script on the system.

 

Note: This issue exists for other client-based applications like Twitter or Dropbox, when trying to verify the certificate.

 

See Also

Controlling SSL Decryption

 

owner: ssunku



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla6CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language