Hi All, My company is a Google Work Space customer and as I've been rolling out ssl decryption, Google File stream has been giving me problems and doesn't appear to sync anymore with endpoints. When looking up the URLs to exclude, google provides this long list, https://support.google.com/a/answer/2589954?hl=en. After reviewing its hard for me to get on board with all the URLs google wants allowed. To be specific, I'm hesitant mainly with www.google.com as I get the impression limit allot of visibility. But maybe I'm wrong?
Does anyone have any experience with this or can offer another perspective for allowing this whole list of URLs?
Yes, with those urls in a custom category you have more control over what happens to them while you can still apply different rules to your generic internet traffic
Thanks for this. Waiting for 10.0 to be come a preference release for my production firewalls.
Regarding the category, would this mainly be for whitelisting the URLs if I was limiting outbound traffic?
Hi Jn,
The doc doesn't specifically state that these URLs should all be excluded from TLS decryption, they just need to be allowed.
You could try adding all these to their own URL category and then creating a rule that allows this category as a destination (not via url filtering profile) so you have that base covered.
The next hurdle is this comment :
"Drive File Stream encrypts all network traffic and validates host certificates to protect against man-in-the-middle (MITM) attacks. If you deploy to a network that uses a decrypting proxy, you should configure the TrustedRootCertsFile setting for Drive File Stream."Since they use client certificates for the File Stream which can't be decrypted, you will need to figure out which urls are causing issues by looking for decrypt errors.
In PAN-OS 10 there's a separate log for these which makes spotting them much easier
In PAN-OS 9.1 and earlier you can use these filters in the traffic log to pinpoint which ones are causing problems so you can exclude only those relevant URLs
((session_end_reason eq decrypt-cert-validation) or (session_end_reason eq decrypt-unsupport-param) or (session_end_reason eq decrypt-error)) and ( rule eq ThatRuleYouMade )