Google Play Store Not Loading Images

Google Play Store Not Loading Images

3169
Created On 11/16/18 03:44 AM - Last Updated 02/08/19 21:25 PM
Decryption Policy SSL Forward Proxy URL Category Decryption URL Filtering 8.1 PAN-OS
Symptom
SSL Decryption policy causing the Google Play Store application to not display applications or images. 

Environment
  • SSL Decryption
  • Chromebook 


Cause
Certain applications do not function properly when the firewall decrypts. Typically these are automatically excluded from SSL decryption via PANOS upgrade. In the case of the Google Play Store, the domains accessed are not part of the SSL decryption exclusion list. Therefore, these domains can be added to a SSL no decrypt list. 

PANOS Administration Guide Reference:
Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (decrypting blocks the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate managementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.


Resolution
Overview
Steps below will involve creating a Custom URL Category and applying it to a no-decryption policy.

Steps
  1.  Create a custom URL Category - Objects > Custom Objects > URL Category
Create custom URL Category
 
  1. Add the following URLs to the list:
  • *.play.google.com
  • play.google.com
  • *.ggpht.com
  • *.googleapis.com
  • *.gvt1.com
  • *.googleusercontent.com
  • android.clients.google.com 
 
  1.  Create a decryption policy that is doing No-Decrypt on the URLs - Policies > Decryption 
Create a Decryption Policy

Example of the No-Decrypt policy:
No decryption policy example
 
  1.  Afterwards, do a Commit to the firewall.
When the commit has successfully gone through, attempt to run traffic via the Chromebook.
Upon checking the traffic logs on the firewall, the traffic should not be decrypted when filtering on the test source client's traffic and images should be properly loading.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmJQCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments