AnyDesk Application is intermittently being decrypted and discarded, although it is in SSL decryption exclude list

AnyDesk Application is intermittently being decrypted and discarded, although it is in SSL decryption exclude list

13479
Created On 03/15/22 07:56 AM - Last Modified 12/20/23 22:47 PM


Symptom


  • "*.net.anydesktop.com" is added to the custom URL list and decryption policy is configured with  the action 'No Decrypt' for  "*.net.anydesktop.com".
  • The CA certificate was imported and marked trusted root CA on the firewall, Although this configuration is correct, the packets are seen as decrypted.
  • The error "Received fatal alert UnknownCA from client" can be observed in the decryption log.
  • There are no SNIs in the decryption log, which means the Client Hello sent from the client did not have SNI.

Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • SSL Decryption

Cause


  • Firewall is receiving client hello without Server Name Indication (SNI).
  • When this happens, Firewall uses the destination IP address to resolve the URL category.
  • Since the IP address is not in the exclusion list, the firewall starts to decrypt the session.
  • Meanwhile the IP is resolved and Firewall determines the URL is excluded from decryption.
  • It will skip decryption from the second time onwards because the IP address will exist in the exclusion list.

Resolution


Use one of the following.
  1. Change the client-side behavior to add Server Name Indication (SNI).
  2. Check with the AnyDesk provider and get all the FQDN to form a no decrypt policy with FQDN and not URL.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NdPCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language