I want to log urls without using TLS decryption. However, Microsoft Yammer and others often use TSL Session resumption. PA does not cache the TLS state by default (?), so it cannot identify the SNI . Do you have any good ideas?
top of page
All things Palo Alto Networks
Forum: Forum
bottom of page
Ah interesting, thanks for sharing!!
If I understand correctly, this only appears to happen in TLS 1.1? You could force the TLS sessions to 1.2 minimum, but unfortunately that option only applies to decrypted sessions... I don't see many alternatives at this time. Maybe you can raise a Feature Request with your local sales team?
Hi Nanashin, your English is perfect please don't worry about that at all. Any misunderstanding is on my part as I failed to properly read and comprehend your question. Allow me to try again:
unless the session remains open (no TCP FIN or RST and no TCP timeout) the TLS state will be forgotten by the firewall when the session is broken down. What I do wonder, as I have not seen this type of TLS behavior 'in the real world" yet, is how the session is continued, is there a new (blank?) TLS handshake to reestablish the session, or is the session continued as if it was never interrupted? Since apparently sessions like this work for Yammer there must be something the firewall is able to identify.
One other option, but this is not reliable, is the app-cache, where the firewall caches app-id's for common and frequent connections. This mechanism will 'predict' which app-id is needed when a connection matching the same 6-tuple as previously seen is received by the firewall. This could assist in catching some continued sessions but may not be 100% reliable (as it is based on caching).
If you are seeing certain applications that are failing due to TLS resumption, the best solution would probably to reach out to TAC to have the app-id modified to account for this behavior. If there's no TLS information in the continued session, the firewall wll not be able to assign a url category.
For such cases I would install a MineMeld instance (or any web interface where you can load up lists) and feed an ExternalDynamicList with the individual IP pools for those applications: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide and filter based on those destinations, if applications are tricky to catch