https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6096#M4432 <HTML><HEAD></HEAD><BODY><P>If you're out of sessions because your session table is full (show session info), a new session won't be installed whether or not it's SSL. A session is created on the first packet, and for SSL that typically means a TCP SYN packet on destination port 443.</P><P></P><P>If there is no available session, you won't get to the point where a decision can be made based on other factors.</P><P></P><P>So to answer your question, the "Block sessions if resources not available" means that the session has already been installed and there are no resources to actually handle the decryption.</P><P>Best regards,</P><P>Greg</P></BODY></HTML> Wed, 24 Jun 2015 16:46:15 GMT gwesson 2015-06-24T16:46:15Z https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6093#M4429 <HTML><HEAD></HEAD><BODY><P>We'd like to drop any new SSL sessions if the system has reached the SSL Decrypted Session Limit.</P><P></P><P>This page, <A href="https://live.paloaltonetworks.com/docs/DOC-1412">How to Implement and Test SSL Decryption</A>, says to run:</P><P><SPAN style="color: #3b3b3b; font-family: 'courier new', courier; font-size: 13px; font-style: normal; font-weight: normal; text-align: left; text-indent: 0px;">&gt; set deviceconfig setting ssl-decrypt deny-setup-failure yes</SPAN></P><P>but it doesn't seem to be there in version 6.1.4</P><P></P><P>In the Web UI, there is an option under when creating a Decryption Profile, to "Block sessions if resources not available".</P><P></P><P>Is that the same thing?</P><P></P><P>Thanks,</P><P>Eugene</P></BODY></HTML> Wed, 24 Jun 2015 01:06:20 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6093#M4429 eugenep 2015-06-24T01:06:20Z https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6094#M4430 <HTML><HEAD></HEAD><BODY><P>The option that you are referring&nbsp; means "Terminate sessions if system resources are not available to process decryption" so the sessions will be dropped if the resources are not available.</P><P></P><P>Please rate the helpful answer.</P></BODY></HTML> Wed, 24 Jun 2015 01:16:37 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6094#M4430 pankaku 2015-06-24T01:16:37Z https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6095#M4431 <HTML><HEAD></HEAD><BODY><P>Yes, I've read the help documentation.</P><P></P><P>Does that include the fact that there are no sessions available? Is a session in this context, considered a resource?</P></BODY></HTML> Wed, 24 Jun 2015 01:24:05 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6095#M4431 eugenep 2015-06-24T01:24:05Z https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6096#M4432 <HTML><HEAD></HEAD><BODY><P>If you're out of sessions because your session table is full (show session info), a new session won't be installed whether or not it's SSL. A session is created on the first packet, and for SSL that typically means a TCP SYN packet on destination port 443.</P><P></P><P>If there is no available session, you won't get to the point where a decision can be made based on other factors.</P><P></P><P>So to answer your question, the "Block sessions if resources not available" means that the session has already been installed and there are no resources to actually handle the decryption.</P><P>Best regards,</P><P>Greg</P></BODY></HTML> Wed, 24 Jun 2015 16:46:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6096#M4432 gwesson 2015-06-24T16:46:15Z https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6097#M4433 <HTML><HEAD></HEAD><BODY><P>There is difference in size of session table and max decrypted sessions.</P><P>For example max ssl sessions for 3050 and 3020 are following:</P><P>Max concurrent decryption sessions</P><P>3050 - 15,360</P><P>3020 - 7,936</P><P></P><P><A href="https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-3050,pa-3020" title="https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-3050,pa-3020">Product Comparison</A></P><P></P><P>So your session table does not have to be full but ssl decryption resources can be fully allocated.</P></BODY></HTML> Thu, 25 Jun 2015 06:44:23 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-drop-new-ssl-sessions-when-limit-is-reached-in-6-1-x/m-p/6097#M4433 Raido_Rattameister 2015-06-25T06:44:23Z