topic Re: SSL Inbound Inspection not working with decrypt-error message in General Topics

SSL Inbound Inspection not working with decrypt-error message

FTBZ — Fri, 02 Dec 2016 09:44:36 GMT

Hello,

I'm trying to setup, for the first time, our SSL Inbound Inspection, but I've some difficulties to achieve the setup.

The configuration seems really simple, and I followed this guide:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl-inbound-inspection#34438

I'd imported the certificate and intermediate certificate, checked that the root CA exists in the in the Trusted Certificate Authorities (Quovadis Root CA 2) and create a decryption rule.

When checking the traffic log, all entries matching the decryption rule returns a decrypt-error as the session end reason.

How I can debug this kind of error?

Thanks!

Re: SSL Inbound Inspection not working with decrypt-error message

bmorris1 — Fri, 02 Dec 2016 09:54:28 GMT

Hi FTBZ,

When you're configuring Inbound inspection you're looking to decrypt traffic that is incoming to a server providing encrypted services, like a HTTPS enabled web-server.

To get Inbound inspection to work you'll need to use the same certificate on the firewall (with private key) that you use on the server. You don't need an intermediate certificate for inbound inspection.

hope this helps,

Ben

Re: SSL Inbound Inspection not working with decrypt-error message

reaper — Fri, 02 Dec 2016 10:38:50 GMT

also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers

Re: SSL Inbound Inspection not working with decrypt-error message

FTBZ — Wed, 07 Dec 2016 19:51:14 GMT

Sorry for the late response, didn't get the notification about new message.

To get Inbound inspection to work you'll need to use the same certificate on the firewall (with private key) that you use on the server. You don't need an intermediate certificate for inbound inspection.

Exactly what I've done, but thanks.

also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers

Oh, thanks. Perhaps my problem can be here, our Apache configurations have a lot of cipher fine-tuning.

Re: SSL Inbound Inspection not working with decrypt-error message

FTBZ — Thu, 08 Dec 2016 05:49:49 GMT

@reaper wrote:
also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers

I checked the cipher used during my tests and it's one that's supported by PAN-OS 7.1 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256).

We're using Quovadis certificates that need an intermediate one. Someone knows the correct steps to use it? The default CA root exists in the Default Trusted Certificate Autorities. Need I to reupload it to the Device Certificate for using intermediate? The Trusted Root CA checkbox needs to be used for an intermediate? 🤔

Re: SSL Inbound Inspection not working with decrypt-error message

FTBZ — Wed, 25 Jan 2017 13:09:05 GMT

Finally, figured it out. For SSL Inbound Inspection only RSA key exchange is supported... Found this information in small in the Decryption Profile. Didn't see it before because I used the default one. This information needs really to be added to the documentation and to the page "PAN-OS 7.1 Supported ciphers".

Don't think that disabling ECDHE and using RSA on our web serversis a good choice. Any idea?

Re: SSL Inbound Inspection not working with decrypt-error message

kdd — Wed, 25 Jan 2017 13:39:53 GMT

it is important that your webserver is offering the same of what is supported by palo alto. take a look here: