topic Re: Temporarily disable SSL decryption in General Topics

Temporarily disable SSL decryption

laurence64 — Mon, 13 May 2024 10:48:04 GMT

I was wondering if anybody knew if the temporary disable SSL decryption is actually broken or it is my firewall, I needed to switch it off as I was having issues getting to sso.paloaltonetworks.com (which oddly is not covered by exclusion list) and found that even after running the command set system setting ssl-decrypt skip-ssl-decrypt yes, the traffic was still decrypted, I had to disable the rules and commit to stop the firewall from decrypting, I was hoping to avoid this as it is a PA-220 and takes an age to commit configs, if anybody has any ideas please let me know, I am currently running 10.1.12

Thanks in advance,

Re: Temporarily disable SSL decryption

JayGolf — Tue, 14 May 2024 04:59:57 GMT

Hi @laurence64 ,

The "set system setting ssl-decrypt skip-ssl-decrypt yes" should work for you. Is it possible that the traffic post entering the command had an existing session prior to command?

Re: Temporarily disable SSL decryption

laurence64 — Tue, 14 May 2024 09:51:18 GMT

Hi @JayGolf

That is a good point, so I cleared the CACHE on the browser as the cert can sometimes get stuck there and in the end used a private browser but still decrypted, it was only when I disabled the decryption rule that the traffic was no longer decrypted, but to be fair I did not clear the sessions on the firewall, I will give this a try later today as an experiment, as far as I am aware there are no issues with the command so you are right it should work.

Thank you for replying so quickly!

Re: Temporarily disable SSL decryption

laurence64 — Thu, 13 Jun 2024 09:56:21 GMT

Hi All,

Firstly sorry for the delay in responding, I did say I would check the existing session theory, I did clear the sessions and it worked as expected, however the browser still held the Firewall cert until cache was cleared, if that makes sense.