https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40491#M29734 <HTML><HEAD></HEAD><BODY><P>We've had a few instances where we are on websites, the one I have witnessed is simply cnn.com, and then while I am browsing I'll suddenly get a certificate error well after the page is loaded that is generated by the PA-500 unit.&nbsp; I did not see this on the eval unit which was running 3.1.1, our purchased unit is running 3.1.2.&nbsp; Has anybody else seen anything like this?&nbsp; I had a call from a staff member a few minutes ago that it happened to them while on virginiapreps.rivals.com.</P><P></P><P>Thanks for any tips.</P></BODY></HTML> Thu, 03 Jun 2010 13:27:45 GMT kevin.shain 2010-06-03T13:27:45Z https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40491#M29734 <HTML><HEAD></HEAD><BODY><P>We've had a few instances where we are on websites, the one I have witnessed is simply cnn.com, and then while I am browsing I'll suddenly get a certificate error well after the page is loaded that is generated by the PA-500 unit.&nbsp; I did not see this on the eval unit which was running 3.1.1, our purchased unit is running 3.1.2.&nbsp; Has anybody else seen anything like this?&nbsp; I had a call from a staff member a few minutes ago that it happened to them while on virginiapreps.rivals.com.</P><P></P><P>Thanks for any tips.</P></BODY></HTML> Thu, 03 Jun 2010 13:27:45 GMT https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40491#M29734 kevin.shain 2010-06-03T13:27:45Z https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40492#M29735 <HTML><HEAD></HEAD><BODY><P>Hello Kevin,</P><P>the Paloalto device will not randomly insert a certificate error while the user is browsing.</P><P>However if the paloalto device is configured for ssl decryption and the user goes to an ssl site, you will get a certificate error . In this scenario you would need to import the ssl decrypt certificate from the paloalto device into the user's browser.</P><P></P><P></P><P>Thanks,</P><P>Stephen</P></BODY></HTML> Thu, 03 Jun 2010 20:14:11 GMT https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40492#M29735 swhyte 2010-06-03T20:14:11Z https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40493#M29736 <HTML><HEAD></HEAD><BODY><P>I have no SSL Decryption Policies set.&nbsp; Is there somewhere else I need to disable this from? </P></BODY></HTML> Fri, 04 Jun 2010 13:24:25 GMT https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40493#M29736 kevin.shain 2010-06-04T13:24:25Z https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40494#M29737 <HTML><HEAD></HEAD><BODY><P>We have also problems with SSL-Sites since 3.1.2</P><P></P><P>Some sites - like gmail.com - with ssl encryption won't load after login. </P><P>We also have no SSL-Decryption-Policy. </P><P></P><P>In a packet-trace i can see that the client sends packets to the Google serverfarm and don't get any answer. After a few time I can see TCP-Resets sent from the PaloAlto-MAC-Address. </P><P></P><P>In the Traffic Logs I see the packets passing to the outside but never the server response. </P><P></P><P>We have two implementations - one for the company employees and one for guests.</P><P>We have a PA-2050 acting as an L3-Internet-Router with IPS-Functionality.</P><P>Behind the PA-2050 there is one Cisco ASA5040 with a PAT configured for out employees.</P><P>In parallel we have implemented two additional ports of the PA-2050 for firewalling/routing/PAT where the guests are placed within a seperate LAN-Infrastructure.</P><P></P><P>In the productive LAN we don't see any problems with SSL-Sites.</P><P>The problems are only located at the guest-environment.</P></BODY></HTML> Thu, 16 Sep 2010 09:04:26 GMT https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40494#M29737 wko 2010-09-16T09:04:26Z https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40495#M29738 <HTML><HEAD></HEAD><BODY><P>You MAY be running into a known issue. Can you issue the following command from the cli:</P><P></P><P></P><P>&gt;debug dataplane reset ssl-decrypt certificate-cache</P><P></P><P></P><P></P><P>Then try to go to any ssl sites that your were having problems with before. If you are now able to access the site then you are probably encountering and issue with our ssl certificate cache that is addressed in software version 3.1.5.</P><P></P><P>If not, then please call into support in order that we can take a closer look at this issue.</P><P></P><P></P><P>thanks,</P><P>Stephen</P></BODY></HTML> Fri, 17 Sep 2010 19:12:43 GMT https://live.paloaltonetworks.com/t5/general-topics/security-certificate-error/m-p/40495#M29738 swhyte 2010-09-17T19:12:43Z