https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69224#M40214 <P>Hi all,</P> <P>&nbsp;</P> <P>We are using PANOS URL Filtering and SSL Decryption, and we reject a variety of SSL certificate problems such as expired certificates, SHA-1 signing, etc.&nbsp; When one of our users hits one of these web sites, they get a "block" page.&nbsp; This invariably leads them to submit a request to have the site unblocked, without any additional information.&nbsp;</P> <P>&nbsp;</P> <P>We have been unable to find any log on the Monitor tab of the firewall console that will give us the reason why the certificate was rejected.&nbsp; At most we get traffic logs with "aged-out."&nbsp; Is this information being collected by PANOS?&nbsp; Is it available anywhere in the console?&nbsp; How do other people diagnose these blocks?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>- Steve</P> Tue, 08 Dec 2015 21:34:43 GMT RSKadish 2015-12-08T21:34:43Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69224#M40214 <P>Hi all,</P> <P>&nbsp;</P> <P>We are using PANOS URL Filtering and SSL Decryption, and we reject a variety of SSL certificate problems such as expired certificates, SHA-1 signing, etc.&nbsp; When one of our users hits one of these web sites, they get a "block" page.&nbsp; This invariably leads them to submit a request to have the site unblocked, without any additional information.&nbsp;</P> <P>&nbsp;</P> <P>We have been unable to find any log on the Monitor tab of the firewall console that will give us the reason why the certificate was rejected.&nbsp; At most we get traffic logs with "aged-out."&nbsp; Is this information being collected by PANOS?&nbsp; Is it available anywhere in the console?&nbsp; How do other people diagnose these blocks?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>- Steve</P> Tue, 08 Dec 2015 21:34:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69224#M40214 RSKadish 2015-12-08T21:34:43Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69246#M40225 <P>Try this:</P> <P>show system setting ssl-decrypt exclude-cache</P> <P>&nbsp;</P> <P>or</P> <P>&nbsp;</P> <P><SPAN>show counter global filter delta yes | match ssl_sess_id_resume_drop</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Here is a link with even more detail which may be helpful, though not as helpful as just adding this in the traffic log detail, which unfortuneately is not currently a supported feature. Reach out to you sales engineer and request this be added as a feature in a future release.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/SSL-Decryption-Not-Working-due-to-Unsupported-Cipher-Suites/ta-p/55543" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/SSL-Decryption-Not-Working-due-to-Unsupported-Cipher-Suites/ta-p/55543</A></P> <P>&nbsp;</P> Wed, 09 Dec 2015 07:22:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69246#M40225 jpeters 2015-12-09T07:22:09Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69258#M40235 <P>Palo does provide a response page for SOME cert issues:<BR /><BR /><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1555iEAD3556BCE18CE4D/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="SSL_Error.JPG" title="SSL_Error.JPG" /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Specifically for things like an expired certificate I've seen this page come up. &nbsp;However for things like certificate negotiation issues I've only ever seen a "Page Can't Be Displayed" browser page. &nbsp;The only way I've found to diagnose the issue is to perform a packet capture. &nbsp;Doing this you can see a "Fatal Certificate Error" in the SSL/TLS negotiation.</P> <P>&nbsp;</P> <P>When things like the later occur it's very frustating because for one users tend to think there's a problem with a distant end...and/or when the ticket comes to a less experienced technician they don't even think about certificate issues and performing such in-depth analysis.</P> Wed, 09 Dec 2015 14:48:37 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69258#M40235 Brandon_Wertz 2015-12-09T14:48:37Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69263#M40239 <P>Hi,</P> <P>&nbsp;</P> <P>Thanks to both of you for the suggestions.&nbsp; I did reach out to our sales engineer to request the log as a feature.&nbsp; A custom response page is probably going to be our best bet.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>- Steve</P> <P>&nbsp;</P> Wed, 09 Dec 2015 15:48:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-log-for-ssl-certificate-errors/m-p/69263#M40239 RSKadish 2015-12-09T15:48:46Z