https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection-problem/m-p/513905#M106707 <P>Hello everyone.</P> <P>&nbsp;</P> <P>i'm configuring decryption with ssl-inbound inspection towards a nas synology via DNAT port-forwarding but i'm having trouble working with the following error that gives me the browser "PR_END_OF_FILE_ERROR". DNAT without ssl-inbound inspection works fine without certificate errors if I try to reach the web server from outside.</P> <P>I have imported the certificate and the priv-key of the synology correctly on the fw and applied to the decryption policy, but I doubt that the zone-level decryption policy is wrong.</P> <P>I post a couple of screens for completeness, decrypt, nat, security and logs</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="porq91_0-1662322178791.png" style="width: 1694px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43657i1102C0B490DEABD0/image-dimensions/1694x52/is-moderation-mode/true?v=v2" width="1694" height="52" role="button" title="porq91_0-1662322178791.png" alt="porq91_0-1662322178791.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="porq91_1-1662322223915.png" style="width: 1472px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43658i934A679A5845865A/image-dimensions/1472x81/is-moderation-mode/true?v=v2" width="1472" height="81" role="button" title="porq91_1-1662322223915.png" alt="porq91_1-1662322223915.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="porq91_2-1662322296995.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43659i9058C76067B4DAFB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="porq91_2-1662322296995.png" alt="porq91_2-1662322296995.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="porq91_0-1662322701882.png" style="width: 1008px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43661i405EE0D9DB236E4A/image-dimensions/1008x383/is-moderation-mode/true?v=v2" width="1008" height="383" role="button" title="porq91_0-1662322701882.png" alt="porq91_0-1662322701882.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Actually topology:&nbsp; internet---&gt;router(dnat to ptp-fw)---&gt;FW(dnat to synology TCP 5001)----&gt;SYNOLOGY</P> <P>&nbsp;</P> <P>Thanks in advice,</P> <P>&nbsp;</P> <P>Angelo.</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 04 Sep 2022 20:19:17 GMT porq91 2022-09-04T20:19:17Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection-problem/m-p/513905#M106707 <P>Hello everyone.</P> <P>&nbsp;</P> <P>i'm configuring decryption with ssl-inbound inspection towards a nas synology via DNAT port-forwarding but i'm having trouble working with the following error that gives me the browser "PR_END_OF_FILE_ERROR". DNAT without ssl-inbound inspection works fine without certificate errors if I try to reach the web server from outside.</P> <P>I have imported the certificate and the priv-key of the synology correctly on the fw and applied to the decryption policy, but I doubt that the zone-level decryption policy is wrong.</P> <P>I post a couple of screens for completeness, decrypt, nat, security and logs</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="porq91_0-1662322178791.png" style="width: 1694px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43657i1102C0B490DEABD0/image-dimensions/1694x52/is-moderation-mode/true?v=v2" width="1694" height="52" role="button" title="porq91_0-1662322178791.png" alt="porq91_0-1662322178791.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="porq91_1-1662322223915.png" style="width: 1472px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43658i934A679A5845865A/image-dimensions/1472x81/is-moderation-mode/true?v=v2" width="1472" height="81" role="button" title="porq91_1-1662322223915.png" alt="porq91_1-1662322223915.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="porq91_2-1662322296995.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43659i9058C76067B4DAFB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="porq91_2-1662322296995.png" alt="porq91_2-1662322296995.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="porq91_0-1662322701882.png" style="width: 1008px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43661i405EE0D9DB236E4A/image-dimensions/1008x383/is-moderation-mode/true?v=v2" width="1008" height="383" role="button" title="porq91_0-1662322701882.png" alt="porq91_0-1662322701882.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Actually topology:&nbsp; internet---&gt;router(dnat to ptp-fw)---&gt;FW(dnat to synology TCP 5001)----&gt;SYNOLOGY</P> <P>&nbsp;</P> <P>Thanks in advice,</P> <P>&nbsp;</P> <P>Angelo.</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 04 Sep 2022 20:19:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection-problem/m-p/513905#M106707 porq91 2022-09-04T20:19:17Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection-problem/m-p/513950#M106715 <P>There are other posts for such issues and you can google them but "PTP-FW-WAN2" is the destination address in your nat and security policies and for the security policy I think it should the translated internal zone address "SYNLOGY-NAC-...".</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you still have issues see drop packet captures, global counters, flow basic etc:</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Still check that the app is indeed using normal SSL and that it is not using pinned SSL certs that can't be decrypted. You can look at the SSL logs:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS</A></P> <P>&nbsp;</P> Mon, 05 Sep 2022 15:27:29 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection-problem/m-p/513950#M106715 nikoolayy1 2022-09-05T15:27:29Z https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection-problem/m-p/517875#M107448 <P>If you managed to get the needed answers, please flag the question as answered.</P> Thu, 13 Oct 2022 21:24:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-inbound-inspection-problem/m-p/517875#M107448 nikoolayy1 2022-10-13T21:24:23Z