How to identify a Secure Cloud Proxy is Attempting to Perform SSL Decryption On the Secure Connection to the Wildfire Cloud Service

How to identify a Secure Cloud Proxy is Attempting to Perform SSL Decryption On the Secure Connection to the Wildfire Cloud Service

9215
Created On 03/15/22 03:27 AM - Last Modified 11/18/22 03:52 AM


Objective


Steps  to troubleshoot and identify potential issues with 3rd party secure cloud services that may disrupt communications to the Wildfire Cloud service.

 

Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • Wildfire Cloud

Procedure


  1. Verify if System logs (show log system) display failed connections to the Wildfire Cloud
Description.jpeg
 
  1. Similarly verify if “show wildfire status" display issues with certificate authentication. 

Screen Shot 2022-03-14 at 9.32.10 PM copy.jpeg

 

  1. Check the “varrcvr.log” (> less mp-log varrcvr.log) for certificate errors to the secure web proxy.
  • PanOS registers with the Wildfire Cloud using an HTTPS request that includes the PanOS client certificate and the firewall checks the cloud certificate.
  • If one is running a secure web proxy service that can perform SSL Decryption then it is possible that secure proxy may be attempting to decrypt the secure communication from the Palo Alto Networks firewall to the Wildfire Cloud service.
  • Check the “varrcvr.log” file to see if the customer’s secure web proxy is attempting to perform SSL Decryption on the secure session to the Wildfire Cloud.
  • The “varrcvr.log” file logs communication between the firewall and the Wildfire Cloud.
> less mp-log varrcvr.log
2022-02-19 08:17:42.430 -0500
*******************************************************************************
************************* STARTING VARDATA RECEIVER ***************************
*******************************************************************************
2022-02-19 08:17:42.736 -0500 sysd worker[0]: 7fb7e28d3700: starting up...
2022-02-19 08:17:42.736 -0500 sysd worker[1]: 7fb7e24d2700: starting up...
2022-02-19 08:17:42.736 -0500 sysd worker[2]: 7fb7e20d1700: starting up... 
2022-02-19 08:17:42.737 -0500 sysd worker[3]: 7fb7e1cd0700: starting up...
2022-02-19 08:17:42.739 -0500 set curl memory functions 
2022-02-19 08:17:42.739 -0500 set openssl memory functions
2022-02-19 08:17:42.818 -0500 check disk /opt/panlogs/session/pan/dlp/ usage max 20971520
loading dlp key ... 
…
/Cisco
  • When using the less command, one can type the “/“ character and then type a set of matching characters to locate the specific lines that match the characters.
  • In this case, the customer has a Cisco Umbrella Proxy that is attempting to decrypt the secure session to the Wildfire Cloud

Screen Shot 2022-03-14 at 10.01.49 PM copy.jpeg

 

  1. Once confirmed, Whitelist the domains associated with the Wildfire Cloud from SSL Inspection in the secure proxy. The following URLs must be “whitelisted” from SSL decryption through their cloud proxy service.
  • panos.wildfire.paloaltonetworks.com
  • wildfire.paloaltonetworks.com
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNNSCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language