https://live.paloaltonetworks.com/t5/next-generation-firewall/possibility-of-secure-mqtt-s-decryption-at-palo-alto-firewall/m-p/1241076#M6421 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217294">@NetSecFirewall</a>&nbsp;,</P> <P>&nbsp;</P> <P>The answer is nuanced because you don't provide a lot of info.</P> <P><SPAN class="N9Q8Lc">As far as I know MQTT can be decrypted normally on PANW in its default setup.&nbsp;</SPAN><SPAN class="N9Q8Lc">&nbsp;Secure communication is enabled by using Transport Layer Security (TLS), which can then be enhanced with certificate pinning (or fingerprint validation) for additional security against man-in-the-middle attacks (in which case decryption will not be possible).</SPAN><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic="">&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>Some websites are misconfigured and will not send complete certificate chains (up to root) which is according to RFC standard. The firewall has only root certificates in its "Default Trusted Certificate Authorities" store. In case an intermediate certificate is missing from the certificate list presented by the server, the firewall will not be able to construct the chain to the root and will present the "Forward Untrust Certificate" to the client when decryption is enabled </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains" target="_blank" rel="noopener" data-aura-rendered-by="162:70487;a">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains</A><SPAN>&nbsp;</SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>As per the DOC above there are some steps you can perform to resolve that problem.<BR /><BR />1.Filter the Decryption log to identify Decryption sessions that failed because of an incomplete certificate chain. </SPAN></SPAN></SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>2.Copy and paste the URI into your browser and then press Enter to download the missing intermediate certificate. </SPAN></SPAN></SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>3.Import the certificate into the firewall. </SPAN></SPAN></SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>4.Select Trusted Root CA to mark the certificate as a Trusted Root CA on the firewall. </SPAN></SPAN></SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b">&nbsp;</SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b">Kind regards,</SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b">-Kim.</SPAN></P> Fri, 31 Oct 2025 17:08:52 GMT kiwi 2025-10-31T17:08:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/possibility-of-secure-mqtt-s-decryption-at-palo-alto-firewall/m-p/1240723#M6410 <P>how can we decrypt MQTT's port 8883 traffic at palo alto firewall, or is it possible.</P> Sat, 25 Oct 2025 20:12:27 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/possibility-of-secure-mqtt-s-decryption-at-palo-alto-firewall/m-p/1240723#M6410 NetSecFirewall 2025-10-25T20:12:27Z https://live.paloaltonetworks.com/t5/next-generation-firewall/possibility-of-secure-mqtt-s-decryption-at-palo-alto-firewall/m-p/1241076#M6421 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217294">@NetSecFirewall</a>&nbsp;,</P> <P>&nbsp;</P> <P>The answer is nuanced because you don't provide a lot of info.</P> <P><SPAN class="N9Q8Lc">As far as I know MQTT can be decrypted normally on PANW in its default setup.&nbsp;</SPAN><SPAN class="N9Q8Lc">&nbsp;Secure communication is enabled by using Transport Layer Security (TLS), which can then be enhanced with certificate pinning (or fingerprint validation) for additional security against man-in-the-middle attacks (in which case decryption will not be possible).</SPAN><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic="">&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>Some websites are misconfigured and will not send complete certificate chains (up to root) which is according to RFC standard. The firewall has only root certificates in its "Default Trusted Certificate Authorities" store. In case an intermediate certificate is missing from the certificate list presented by the server, the firewall will not be able to construct the chain to the root and will present the "Forward Untrust Certificate" to the client when decryption is enabled </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains" target="_blank" rel="noopener" data-aura-rendered-by="162:70487;a">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains</A><SPAN>&nbsp;</SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>As per the DOC above there are some steps you can perform to resolve that problem.<BR /><BR />1.Filter the Decryption log to identify Decryption sessions that failed because of an incomplete certificate chain. </SPAN></SPAN></SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>2.Copy and paste the URI into your browser and then press Enter to download the missing intermediate certificate. </SPAN></SPAN></SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>3.Import the certificate into the firewall. </SPAN></SPAN></SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b"><SPAN class="vKEkVd" data-animation-atomic=""><SPAN>4.Select Trusted Root CA to mark the certificate as a Trusted Root CA on the firewall. </SPAN></SPAN></SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b">&nbsp;</SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b">Kind regards,</SPAN></P> <P><SPAN class="uJ19be notranslate" data-wiz-uids="nzf2E_a,nzf2E_b">-Kim.</SPAN></P> Fri, 31 Oct 2025 17:08:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/possibility-of-secure-mqtt-s-decryption-at-palo-alto-firewall/m-p/1241076#M6421 kiwi 2025-10-31T17:08:52Z