https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78932#M43079 <P>Thanks for your help!</P> <P>&nbsp;</P> <P>Turns out in the small print the EDHC ciphers are only supported in SSL forward proxy decryption, not inbound, which is why they don't work with the current setup. So, although Palo state that certain ciphers are now supported in 7.1, it's best not to just go by the new cipher suites added in 7.1.</P> <P>&nbsp;</P> <P>It's in very small print in the Decryption Profile under Protocol Settings:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="protocol settings.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4244i17ABF3F4858523FE/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="protocol settings.png" alt="protocol settings.png" /></span></P> <P>&nbsp;</P> <P>Anyway, thank you again for your help.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> <P>Jack</P> Wed, 01 Jun 2016 15:05:57 GMT Jack_Howells 2016-06-01T15:05:57Z https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78911#M43070 <P>Hi guys,</P> <P>&nbsp;</P> <P>Configuring inbound SSL inspection on 7.1, decryption does not work with the newly supported cipher suites shown in the document below.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Supported-ciphers/ta-p/71969" target="_blank">https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Supported-ciphers/ta-p/71969</A></P> <P>&nbsp;</P> <P>Only the cipher suites shown in the document below again work.&nbsp;The document above states that&nbsp;<SPAN>ECDHE should work but it does not. &nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://live.paloaltonetworks.com/t5/Management-Articles/SSL-Decryption-Not-Working-due-to-Unsupported-Cipher-Suites/ta-p/55543" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/SSL-Decryption-Not-Working-due-to-Unsupported-Cipher-Suites/ta-p/55543</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Could anyone provide some advice for this situation?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Cheers</SPAN></P> <P>&nbsp;</P> Wed, 01 Jun 2016 09:40:38 GMT https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78911#M43070 Jack_Howells 2016-06-01T09:40:38Z https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78918#M43072 <P>Hi Jack</P> <P>&nbsp;</P> <P>there are some limitations for ECDHE, did you take these into account:</P> <P><BR /><SPAN>&nbsp;&nbsp; For ECDHE, only named curves.</SPAN><BR /><SPAN>&nbsp;&nbsp; For ECDHE EC_point format, only uncompressed.</SPAN></P> <P>&nbsp;</P> <P><SPAN>and that your cipher matches one of the listed modes (some E<STRONG>CDHEmodes are not supported)</STRONG></SPAN></P> Wed, 01 Jun 2016 09:48:13 GMT https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78918#M43072 reaper 2016-06-01T09:48:13Z https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78926#M43076 <P>Hi,</P> <P>&nbsp;</P> <P>Thanks for your response.</P> <P>&nbsp;</P> <P>The cipher suites I'm using on the F5 load balancer are:</P> <P>&nbsp;</P> <P>ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA</P> <P>&nbsp;</P> <P>Does this match the limitations for ECDHE?</P> <P>&nbsp;</P> <P>Kind regards</P> <P>Jack</P> Wed, 01 Jun 2016 10:54:38 GMT https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78926#M43076 Jack_Howells 2016-06-01T10:54:38Z https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78928#M43077 <P>Hi Jack</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Those appear to match... you could try setting up a packet-diag with log features 'flow basic' and 'proxy all' for 1 single source, this may help shine some light on why it isn't working as expected</P> <P>&nbsp;</P> <P>check out this article for some help with the packet-diag:&nbsp;<A title="Getting Started: Flow Basic" href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Flow-Basic/ta-p/72556" target="_blank">Getting Started: Flow Basic</A></P> Wed, 01 Jun 2016 11:18:06 GMT https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78928#M43077 reaper 2016-06-01T11:18:06Z https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78932#M43079 <P>Thanks for your help!</P> <P>&nbsp;</P> <P>Turns out in the small print the EDHC ciphers are only supported in SSL forward proxy decryption, not inbound, which is why they don't work with the current setup. So, although Palo state that certain ciphers are now supported in 7.1, it's best not to just go by the new cipher suites added in 7.1.</P> <P>&nbsp;</P> <P>It's in very small print in the Decryption Profile under Protocol Settings:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="protocol settings.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4244i17ABF3F4858523FE/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="protocol settings.png" alt="protocol settings.png" /></span></P> <P>&nbsp;</P> <P>Anyway, thank you again for your help.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> <P>Jack</P> Wed, 01 Jun 2016 15:05:57 GMT https://live.paloaltonetworks.com/t5/general-topics/cipher-suites-decryption-7-1/m-p/78932#M43079 Jack_Howells 2016-06-01T15:05:57Z