https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-mac-os-received-fatal-alert-illegalparameter-from/m-p/1240621#M6409 <P>Hello Livecommunity!<BR /><BR /></P> <P>As an update, our client created a ticket with MAC support, as the operating system is attempting to use the insecure TLS 1.0 instead of TLS 1.2 or TLS 1.3. As soon as I have any progress on MAC parsing, I'll post it in this knowledge base.<BR /><BR /></P> <P>Best regards,</P> Fri, 24 Oct 2025 05:02:50 GMT DanielS.Romero 2025-10-24T05:02:50Z https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-mac-os-received-fatal-alert-illegalparameter-from/m-p/1222228#M5626 <P>Hello team,<BR /><BR />I have an issue with the Global Protect 6.2.7 app running on an Apple Mac OS X Sequoia15.3.1 in the SSL negotiation process,<BR /><BR />The error on the Global Protect say "<STRONG>The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect.</STRONG>"<BR /><BR />On the NGFW logs see somes decrypt errors on the traffic and decryptions logs says "<STRONG>sslv3 alert illegal parameter. Received fatal alert IllegalParameter from client</STRONG>" When the Mac-OS Client try to negotiate the SSL connection with TLS 1.3.<BR /><BR />When the client uses TLS 1.0 the decrypt error says "<STRONG>Client and decrypt profile version mismatch. Supported client version bitmask: 0x08. Supported decrypt profile version bitmask: 0x60. " </STRONG>as below<STRONG>:</STRONG><BR /><BR /><STRONG>NGFW DECRYPTION ERRORS TLS 1.0 &amp; TLS 1.3</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_0-1740714068271.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66233iABA90AF48371F41D/image-size/medium?v=v2&amp;px=400" role="button" title="DanielSRomero_0-1740714068271.png" alt="DanielSRomero_0-1740714068271.png" /></span><BR /><BR />I import the Global Protect certificate on the Mac OS and the issues still there.<BR /><BR />I verify the TLS/SSL Service Profile configured to the Global Protect and I see that it only allowed connections from TLS 1.2 and higher, however why the Global Protect SSL connection fail even with TLS 1.3 negotiation?&nbsp;<BR /><BR /><STRONG>NGFW GLOBAL PROTECT SSL/TLS SERVICE PROFILE</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_1-1740714215213.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66234i865EC30664AFDD35/image-size/medium?v=v2&amp;px=400" role="button" title="DanielSRomero_1-1740714215213.png" alt="DanielSRomero_1-1740714215213.png" /></span><BR />I configured a pcap to try to find extra information about the issue, and I see that the TCP 3-way is completed between the NGFW Global Protect and the Client Global Protect App, however some times the mac-os try to negotiate with the TLS 1.0 or TLS 1.3 and the NGFW sends a TCP RST to finish the session.<BR /><BR /><STRONG>NGFW GLOBAL PROTECT TLS1.0 NEGOTIATION</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_2-1740714813788.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66235iAB05D14F2D51C216/image-size/medium?v=v2&amp;px=400" role="button" title="DanielSRomero_2-1740714813788.png" alt="DanielSRomero_2-1740714813788.png" /></span></P> <P><BR /><STRONG>FROM NGFW GLOBAL PROTECT TLS1.0 NEGOTIATION ERROR</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_3-1740714853802.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66236i209826B217326912/image-size/medium?v=v2&amp;px=400" role="button" title="DanielSRomero_3-1740714853802.png" alt="DanielSRomero_3-1740714853802.png" /></span></P> <P><BR /><STRONG>NGFW GLOBAL PROTECT TLS1.3 NEGOTIATION (AT THE END THE NGFW SENDS A TCP RST TO THE GLOBAL PROTECT CLIENT APP)</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_4-1740714987441.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66237i19BCC0F88BD6701A/image-size/medium?v=v2&amp;px=400" role="button" title="DanielSRomero_4-1740714987441.png" alt="DanielSRomero_4-1740714987441.png" /></span></P> <P><BR />Someone else have the same issue and know how to fix it?<BR /><BR />I appreciate your time and help,<BR /><BR />Best Regards,</P> <P>&nbsp;</P> Fri, 28 Feb 2025 04:01:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-mac-os-received-fatal-alert-illegalparameter-from/m-p/1222228#M5626 DanielS.Romero 2025-02-28T04:01:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-mac-os-received-fatal-alert-illegalparameter-from/m-p/1240621#M6409 <P>Hello Livecommunity!<BR /><BR /></P> <P>As an update, our client created a ticket with MAC support, as the operating system is attempting to use the insecure TLS 1.0 instead of TLS 1.2 or TLS 1.3. As soon as I have any progress on MAC parsing, I'll post it in this knowledge base.<BR /><BR /></P> <P>Best regards,</P> Fri, 24 Oct 2025 05:02:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-mac-os-received-fatal-alert-illegalparameter-from/m-p/1240621#M6409 DanielS.Romero 2025-10-24T05:02:50Z