How to collect FiddlerCap captures for a Web Application content-rewrite issues through the Clientless VPN Portal

How to collect FiddlerCap captures for a Web Application content-rewrite issues through the Clientless VPN Portal

22070
Created On 04/08/19 19:00 PM - Last Modified 09/07/22 14:49 PM


Objective

Why do we need FiddlerCap captures for Clientless VPN troubleshooting?

FiddlerCap is a Web Recorder proxy tool that can capture HTTP or HTTPS traffic traversing through a Windows machine. Fiddler's Session Archive (.saz) file, captured using the FiddlerCap, includes all the captured HTTP or HTTPS sessions and can help in troubleshooting an application content-rewrite issue (i.e. application content is not loading properly) through a Clientless VPN Portal


The Fiddler Session Archive (.saz) capture files need to be collected both for the WORKING SCENARIO (i.e. when the user accesses the application DIRECTLY, not through the Clientless VPN portal, and does not see any issues) and NON-WORKING SCENARIO (i.e. when the user accesses the application via Clientless VPN Portal and sees the issue). This is important so that we can compare the direct access with the rewritten application content via Clientless VPN Portal


Note: Please be aware that FiddlerCap can collect cleartext traffic, and all user credentials (usernames/passwords) exchanged during the time of the capture, will be visible in the collected data. These packet captures contain clear-text (unencrypted) communication between the browser and the firewall, and between the firewall and the application. It is recommended to use test credentials if logging into the problematic application is needed


Note: For macOS/iPad/iOS devices, point the traffic towards a web proxy server and enable FiddlerCap captures on the server

 


Procedure

Step1: Install FiddlerCap on the test client PC (https://www.telerik.com/fiddler/fiddlercap)



Step 2: Once FiddlerCap is installed successfully, launch the application on the test PC to capture the data



Step 3:
Please make sure that the Root CA certificate with the name DO_NOT_TRUST_FiddlerRoot is NOT present on the Windows (and Firefox, if Firefox is to be used) Trusted Root certificate store. Please delete it if present. Check Store binaries, Decrypt HTTPS traffic, and Store cookies and POSTs boxes below
 


Note: FiddlerCap captures clear-text web-browsing traffic for any HTTPS connection. Please make sure all applications and other browser tabs (generating HTTP/HTTPS traffic) are closed on the PC before starting the capture

Step 4:  Please install the root CA certificate generated on-the-fly for SSL decryption and click Yes to install the certificate. After gathering the FiddlerCaps, it can be deleted.



Note: FiddlerCap would not be able to decrypt traffic if the Clientless VPN Portal or the Web Application uses a Client Certificate for authentication

Step 5: Chrome or Internet Explorer is preferred. If using Firefox (not preferred, but supported), modify the Connection Settings to Use system proxy settings. Also, please export the root CA certificate from the Windows store and import it into Firefox. While importing on Firefox, please make sure Trust this CA to identify websites box is only checked
 
Step 6: Please use the following steps in order to capture the WORKING SCENARIO sessions when the test user accesses the application DIRECTLY and does not see the issue (i.e. without the Clientless VPN Portal)

  • Step 6.1: Before starting the captures, please make sure all the other web browsers and applications generating HTTP/HTTPS traffic are closed. The objective is to collect only the HTTP/HTTPS sessions which are relevant to the application in question
  • Step 6.2: Click on Start Capture on FiddlerCap and the system default browser would be launched. If you want to use a different browser to reproduce the issue, please close the default launched browser and open the browser of your preference
 

image.png

 

  • Step 6.3: Delete the cache and cookies from the web browser that you are going to use to access the application:
    • Internet Explorer: Click on Clear Cookies and Clear Cache buttons on FiddlerCap
    • Microsoft Edge: Add the edge://settings/clearBrowserData in the address bar and hit enter or go to the Settings > Privacy, search, and services > Clear browser data now > Choose what to clear. Select the Time Range (e.g. All time), check the Cookies and other site data and Cached images and files, and hit Clear Now
    • Google Chrome: Add the chrome://settings/clearBrowserData in the address bar and hit enter or go to the Settings > Privacy and security > Clear browsing data. Select the Time Range (e.g. All time), check the Cookies and other site data and Cached images and files, and hit Clear data
    • Mozilla Firefox: Add the about:preferences#privacy in the address bar and hit enter or go to the Options > Privacy & Security. Click on the remove individual cookies hyperlink to clear the cookies and click Clear Now in front of the Cached Web Content to clear the cache files
 
  • Step 6.4: Have the user access the application DIRECTLY (without the Clientless VPN portal involved) till the page that experiences an issue through the Clientless VPN Portal
  • Step 6.5: Enable the Details and make sure Fiddler is capturing the decrypted HTTPS sessions for the application
 

image.png

 

  • Step 6.6: Once the problematic page loads completely, click on Stop Capture. Next click Save Capture to save all the sessions as .saz file type and name it like FiddlerCap_<date>_DIRECT_WORKING.saz
​​​​​

image.png
 

  • Step 6.7: Close the web browser

Step 7: Please use the following steps in order to capture the NON-WORKING SCENARIO sessions when the test user accesses the application via Clientless VPN Portal and sees the issue
 

  • Step 7.1: Please follow Steps 6.1 to 6.3 again
  • Step 7.2: Have the user go to the Clientless VPN Portal, login successfully, and access the application via  Clientless VPN Portal till the page that displays the issue
  • Step 7.3: Enable the Details and make sure Fiddler is capturing the decrypted HTTPS sessions for the application via Clientless VPN Portal
 
image.png
 
  • Step 7.4: Once the problematic page loads completely, click on Stop Capture. Next click Save Capture to save all the sessions as .saz file type and name it like FiddlerCap_<date>_CLVPN_NON-WORKING.saz
 
image.png


Step 8: Once FiddlerCaps are collected, close the application and there should be a prompt to delete the root CA installed on the machine for decryption. Click Yes



Note: Also, we strongly recommend cleaning up after the log collection on the test PC

Performing Cleanup
**************************

  • If not prompted to delete the root CA certificate when closing FiddlerCap, then delete the certificate manually (using Internet Explorer add chrome). If Firefox was used for navigation, then delete the certificate from Firefox as well.
  • If Firefox was used, revert the proxy settings to the original value.
  • (optional) Uninstall FiddlerCap using Control Panel > Programs and Features.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSiCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language