This is part of the Palo Posts how-to guides for getting the most from your Palo Alto firewall on a home or small business network.
Overview
About a month ago, I enabled decryption on my Palo Alto firewall and limited it only to traffic to and from my MacBook Pro. It’s worked well and provided great visibility into the vast amounts of encrypted traffic that we see nowadays.
So what’s this have to do with macOS? Apple periodically releases updates and I had read that one was just released. I checked my laptop and saw that I had a few updates to install for the iWork suite and Xcode. Notably missing were notifications for the core macOS system updates. I clicked on the “Updates” button again in the Mac App Store and received the following message.:
“Oh, the operation couldn’t be completed because of the NSURLErrorDomain error -1012? Great, real helpful.” I tried closing and reopening the App Store with no luck. I thought maybe my laptop just wasn’t happy because I hadn’t rebooted in a while so I tried that, but still no luck. I searched the interwebs and found a few forum posts, but nothing too helpful. One post included lines from /var/log/install.log so I decided to check out what mine said.
2018-03-29 22:17:47-05 macbookpro softwareupdated[501]: Scan got error The operation couldn't be completed. (NSURLErrorDomain error -1012.)
2018-03-29 22:17:47-05 macbookpro softwareupdated[501]: Ramped updates marked
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Scan for client pid 501 (/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated)
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: Failed Software Update - Refusing invalid certificate from host: swscan.apple.com
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: Failed Software Update - Refusing invalid certificate from host: swscan.apple.com
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Elapsed scan time = 0.2
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Error encountered in scan: Error Domain=NSURLErrorDomain Code=-1012 "(null)" UserInfo={NSErrorFailingURLStringKey=https://swscan.apple.com/content/catalogs/others/index-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog, NSErrorFailingURLKey=https://swscan.apple.com/content/catalogs/others/index-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog, NSLocalizedRecoverySuggestion=Make sure you’re connected to the Internet, and then try again., SUErrorRelatedCode=SUErrorCodeScanCatalogNotFound}
“Refusing invalid certificate from host: swscan.apple.com” — now we’re getting somewhere! I knew immediately this was due to my Palo Alto decryption. I checked my Monitor logs and confirmed that decryption was occurring on traffic to https://swscan.apple.com.
Solution
So how do I solve this? A little digging and I found that Palo Alto maintains a predefined list of URLs to exclude from decryption in Device -> Certificate Management -> SSL Decryption Exclusion. These are URLs that Palo Alto knows will cause issues if decryption is attempted. Interestingly, searching for “apple” in this list showed a number of predefined apple.com URLs. One was even described as “apple-appstore: pinned-cert” suggesting that perhaps Apple has updated the URL for this, causing my decryption to break my update process.
To add my own, I clicked “Add” at the bottom, and entered the following.:
Committed the change and tried updating my laptop once more. This time, it worked!