Palo Alto Networks Knowledgebase: SSL Decrypt Sites Being Blocked by Default Rule

SSL Decrypt Sites Being Blocked by Default Rule

3592
Created On 02/07/19 23:40 PM - Last Updated 02/07/19 23:40 PM
Resolution

Issue

All  SSL encrypted sites to be decrypted by the firewall are blocked by a default rule and not hitting the allow rule which preceeds it.

 

Resolution

If a policy is set for the application "'web-browsing" and the service is set as "application-default", SSL traffic will never hit the policy as it is coming in on port 443.  The default port for "web-browsing" is port 80.  Even though the application is being seen as "web-browsing" the port is not the default and traffic will go to the next matching policy.  Setting the service to "any'  in the allow rule will resolve the issue.

 

Screen Shot 2014-09-19 at 4.43.33 PM.png

 

owner:  nayubi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1sCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language