How to Gather Fiddler pcaps for Clientless VPN Application Based Issues

How to Gather Fiddler pcaps for Clientless VPN Application Based Issues

15137
Created On 04/08/19 19:00 PM - Last Modified 04/23/20 17:51 PM


Objective
Why do we need FiddlerCap captures for Clientless VPN troubleshooting?

FiddlerCap is a web debugging proxy tool that can capture HTTP(S) traffic. It can only run on Windows. FiddlerCap can capture local traffic by using the machine's name as the host name rather than the localhost. Fiddler is used to decrypt HTTPS traffic to resolve clientless VPN app based issues (some modules of the application not loading or are broken). These captures need to be collected in the WORKING SCENARIO only i.e. when the user accesses the application DIRECTLY, not through Clientless VPN portal.
 
Note: Please be aware that FiddlerCap can collect cleartext traffic, and all user credentials (usernames/passwords) exchanged during the time of the capture, will be visible in the collected data. These packet captures contain clear-text (unencrypted) communication between the browser and the firewall, and between the firewall and the application. It is recommended to use test credentials if logging into the problematic application is needed

Note: For macOS/iPad/iOS devices, point the traffic towards a web proxy server and enable FiddlerCap captures on the server


Procedure
Step1: Install Fiddler on the test PC (https://www.telerik.com/fiddler)




Step 2: Once FiddlerCap is installed successfully, launch the application on the test PC to capture the data



Step 3:
Please make sure that the root CA certificate with name DO_NOT_TRUST_FiddlerRoot is NOT present on the Windows (and Firefox, if Firefox is to be used) Trusted Root certificate store. Please delete it if present. Check Store binaries , Decrypt HTTPS traffic and Store cookies and POSTs boxes below
 


Note: FiddlerCap captures clear-text web-browsing traffic for any https connection. Please make sure all applications (generating http/https traffic) are closed on the PC before starting the capture.

Step 4:  Please install the root CA certificate generated on-the-fly for SSL decryption and click Yes to install the certificate. After gathering the FiddlerCaps, it can be deleted.



Step 5: Chrome or Internet Explorer is preferred. If using Firefox (not preferred, but supported), modify the Connection Settings to Use system proxy settings. Also, please export the root CA certificate from the Windows store and import it into Firefox. While importing on Firefox, please make sure Trust this CA to identify websites box is only checked
 
Step 6: Clear the browser cache that would be used to access the application. Click on Clear Cookies and Clear Cache buttons on FiddlerCap



Step 7:
Click on Start Capture on FiddlerCap and the system default browser would be launched. If you are using a different browser to reproduce the issue, please close the current browser and launch the browser in question.

Step 8: Please have the user access the application directly (without Clientless VPN portal involved) till the problematic page. Once the problematic page loads completely, click on Stop Capture. Next, click on Save Capture and they would be saved in .SAZ format to be uploaded to the case



Step 9: Once FiddlerCaps are collected, close the application and there should be a prompt to delete the root CA installed on the machine for decryption. Click Yes



Note: Also, we strongly recommend clean up after the log collection on the test PC

Performing Cleanup
**************************
  • If not prompted to delete the root CA certificate when closing FiddlerCap, then delete the certificate manually (using Internet Explorer add chrome). If Firefox was used for navigation, then delete the certificate from Firefox as well.
  • If Firefox was used, revert the proxy settings to the original value.
  • (optional) Uninstall FiddlerCap using Control Panel > Programs and Features.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSiCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language