Been implementing decryption for the last 6 weeks and it has been a complete pain, which I understand is expected. So my main goal with this post is to compare notes with you all to determine the best methods for troubleshooting URL's & services that are being blocked.
No decrypt URL list under "Policies --> Decryption"
This is referenced to URL Categories like Financial Services, health and medical and a custom list where I have created exceptions for things like google drive.
No decrypt Private Cert list under "Policies --> Decryption"
This was special, the app Signal uses a self signed cert that wouldn't let it fully initiate. So I had to create a separate "Objects --> Decryption --> Decryption Profile" that didn't block untrusted issuers under the "no decryption" tab. I have since expanded this rule as I've found several apps that have this issue.
Adding intermediate or root CA's to my "Device --> Certificate Management --> Certificates"
I've had several US State websites that are blocked because there certificate isn't trusted for tax related sections of the sites. Downloading there cert and adding to the firewall fixes this.
So these steps have helped with allot of my issues but not everything. I've only been able to add a few members of my engineering department as I constantly run into tools they use and I cant get the URL to be bypassed or trusted, so they constantly get untrusted cert messages.
I've updated to PanOS 10.0.4 which has been helpful having the decryption tab under monitor and the ACC tab for SSL Activity but I still run into allot of issues where the URL's that are being flagged/blocked still pop up and prompt untrusted even after entering exceptions (www.python.org, jetbrains). I'm especially surprised by how many DigiCert related issues I get.
Would love to know if there are additional steps you all take, especially related to the developers? I have 2 tickets open with TAC and I'm shocked at how slow and unproductive the experience has been so far.
Thanks!
Jn