https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/75145#M41886 <P>Hello</P> <P>&nbsp;</P> <P>We have recentley tuned on SSL Decryption for some users.</P> <P>Since then we are getting some SSL sites that cannot be accessed due to cypher mismatch. It is something we were exepcting, but not the amount of URL this is happneing for.</P> <P>&nbsp;</P> <P>My question, is there a setting that I can turn on that will allow the site to be accessed if the SSL Decryption fails ?</P> <P>My assumption is that most sites will get decrypted and we will get the relevant APP-id data from it.</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Thu, 24 Mar 2016 10:11:24 GMT RC-BHF 2016-03-24T10:11:24Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/75145#M41886 <P>Hello</P> <P>&nbsp;</P> <P>We have recentley tuned on SSL Decryption for some users.</P> <P>Since then we are getting some SSL sites that cannot be accessed due to cypher mismatch. It is something we were exepcting, but not the amount of URL this is happneing for.</P> <P>&nbsp;</P> <P>My question, is there a setting that I can turn on that will allow the site to be accessed if the SSL Decryption fails ?</P> <P>My assumption is that most sites will get decrypted and we will get the relevant APP-id data from it.</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Thu, 24 Mar 2016 10:11:24 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/75145#M41886 RC-BHF 2016-03-24T10:11:24Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/75146#M41887 <P>You can decide what you want to do with sites that can't be decrypted in SSL forward proxy options in decryption profile:</P> <P>&nbsp;</P> <PRE>Unsupported Mode Checks Block sessions with unsupported versions Block sessions with unsupported cipher suites Block sessions with client authentication</PRE> Thu, 24 Mar 2016 10:19:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/75146#M41887 santonic 2016-03-24T10:19:40Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/75163#M41890 <P>On the more recent PAN-OS versions, if a site is using an unsupported cipher then it is added automatically to the ssl-decrypt exclude cache and will no longer be decrypted :</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/SSL-decrypt-exclude-cache-and-unsupported-ECDHE-cipher-suites/ta-p/68109" target="_blank">SSL-decrypt-exclude-cache-and-unsupported-cipher-suites</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 24 Mar 2016 13:35:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/75163#M41890 kiwi 2016-03-24T13:35:22Z