Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Google Play Store Not Loading Images - Knowledge Base - Palo Alto Networks

Google Play Store Not Loading Images

16511
Created On 11/16/18 03:44 AM - Last Modified 09/10/24 11:24 AM


Symptom


SSL Decryption policy causing the Google Play Store application to not display applications or images. 

Environment


  • Palo Alto Networks Firewalls
  • Supported PAN-OS
  • SSL Decryption (SSL Forward Proxy)
  • Chromebook 

Cause


Certain applications do not function properly when the firewall decrypts. Typically these are automatically excluded from SSL decryption via PANOS upgrade. In the case of the Google Play Store, the domains accessed are not part of the SSL decryption exclusion list. Therefore, these domains can be added to a SSL no decrypt list. 

PANOS Administration Guide Reference:
Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (decrypting blocks the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate management SSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.

Resolution


Overview
Steps below will involve creating a Custom URL Category and applying it to a no-decryption policy.

Steps
  1.  Create a custom URL Category - Objects > Custom Objects > URL Category
Create custom URL Category
 
  1. Add the following URLs to the list:
  • *.play.google.com
  • play.google.com
  • *.ggpht.com
  • *.googleapis.com
  • *.gvt1.com
  • *.googleusercontent.com
  • android.clients.google.com 
 
  1.  Create a decryption policy that is doing No-Decrypt on the URLs - Policies > Decryption 
Create a Decryption Policy

Example of the No-Decrypt policy:
No decryption policy example
 
  1.  Afterwards, do a Commit to the firewall.
When the commit has successfully gone through, attempt to run traffic via the Chromebook.
Upon checking the traffic logs on the firewall, the traffic should not be decrypted when filtering on the test source client's traffic and images should be properly loading.
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 238,760
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmJQCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language