https://live.paloaltonetworks.com/t5/next-generation-firewall/outbound-ssl-decryption-quirk/m-p/1239459#M6374 <P>Have you checked the decrypt logs to see if something odd is happening the moment you notice a failed connection?</P> <P>How did you configure your decryption profile, did you limit your SSL Protocol Settings ?</P> Mon, 06 Oct 2025 12:00:08 GMT reaper 2025-10-06T12:00:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/outbound-ssl-decryption-quirk/m-p/1239365#M6368 <P>Hello,</P> <P>&nbsp;</P> <P>I have established an outbound SSL decrypt policy that I have enabled for only myself as I test functionality. Over the past few months, I've noticed a quirk that I'm unsure of the reasoning behind. With the policy enabled, sometimes connections to certain destinations will require a reload of the webpage to establish connection.</P> <P>&nbsp;</P> <P>For example:</P> <UL> <LI>Navigate to a knowledgebase for a vendor - failed to establish connection upon first attempt</LI> <LI>Reload the webpage - successfully establish connection</LI> </UL> <P>&nbsp;</P> <P>This behavior is exclusive to when I have the decrypt policy enabled so I'm fairly certain that I am pointing the finger at the correct culprit. It seems a problematic destination is random, as it's not always the same sites and varies between days/weeks on occurrence.</P> <P>&nbsp;</P> <P>The work around of simply refreshing the page is easy enough, my concern is when I enable this for the company and users flood my inbox with this issue for various sites and I have to tell them all to refresh... seems half-baked.</P> <P>&nbsp;</P> <P>My question is - Is this normal behavior for SSL decryption, or am I missing something within the configuration? I followed the best-practice guide released by Palo Alto.</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 03 Oct 2025 17:14:56 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/outbound-ssl-decryption-quirk/m-p/1239365#M6368 RH747 2025-10-03T17:14:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/outbound-ssl-decryption-quirk/m-p/1239459#M6374 <P>Have you checked the decrypt logs to see if something odd is happening the moment you notice a failed connection?</P> <P>How did you configure your decryption profile, did you limit your SSL Protocol Settings ?</P> Mon, 06 Oct 2025 12:00:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/outbound-ssl-decryption-quirk/m-p/1239459#M6374 reaper 2025-10-06T12:00:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/outbound-ssl-decryption-quirk/m-p/1239467#M6376 <P>I have checked the logs when it has happened in the past and don't see anything that consistently shows each time and it's a somewhat rare occurrence, so I don't have much to go off of with only 1 user testing. Initially I thought maybe it was an OCSP/CRL delay, but that's uncertain without logs to correlate the thought. I was hoping someone has experienced this and narrowed their findings to something specific I could check!</P> <P>&nbsp;</P> <P>The profile is mostly configured to PA recommended best practice; the minimum protocol is set to 1.2 with maximum set to max. I do not have the failure checks or strip APLN enabled. Certificate used is firewall generated.</P> Mon, 06 Oct 2025 14:53:23 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/outbound-ssl-decryption-quirk/m-p/1239467#M6376 RH747 2025-10-06T14:53:23Z