Google Play Store Not Loading Images
Created On 11/16/18 03:44 AM - Last Updated 02/08/19 21:25 PM
Decryption Policy SSL Forward Proxy URL Category Decryption URL Filtering 8.1 PAN-OSSymptom
SSL Decryption policy causing the Google Play Store application to not display applications or images.
- SSL Decryption
Certain applications do not function properly when the firewall decrypts. Typically these are automatically excluded from SSL decryption via PANOS upgrade. In the case of the Google Play Store, the domains accessed are not part of the SSL decryption exclusion list. Therefore, these domains can be added to a SSL no decrypt list.
PANOS Administration Guide Reference:
Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (decrypting blocks the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate managementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.
Steps below will involve creating a Custom URL Category and applying it to a no-decryption policy.
- Create a custom URL Category - Objects > Custom Objects > URL Category
- Add the following URLs to the list:
- Create a decryption policy that is doing No-Decrypt on the URLs - Policies > Decryption
Example of the No-Decrypt policy:
- Afterwards, do a Commit to the firewall.
Upon checking the traffic logs on the firewall, the traffic should not be decrypted when filtering on the test source client's traffic and images should be properly loading.