topic Re: SSL decryption & not working VPN in General Topics

SSL decryption & not working VPN

Indorama_Ventures — Mon, 13 Mar 2017 10:09:36 GMT

Hi guys,

We wittnessed a very strange phenomenon this morning.

First we received a call that our VPN gateway was not accepting any VPN connections.

At the same time we received calls that certain websites were not accessible. These websites had in common that they were SSL encrypted.

We have 2 PA-500 firewalls with a HA configuration.
SSL decryption is enabled for certain networks (workstations). SSL decryption uses a different certificate than our VPN gateway.

Both certificates are valid.

As soon as we turned off SSL decryption, the VPN gateway started to accept connections.

When we turned SSL decryption back on we noticed that some websites were decrypted while others were not.

The sites that were not decrypted should have been decrypted. They were not in the "Do-not-Decrypt" list.

To be certain the firewall was doing the job right, I deleted the certificate cache on my browser. I also visited sites that were SSL encrypted which I had not visited before.

We are a bit puzzled what happened here. Currently we have SSL decryption turned off but would like to have it on again.

The PA-500 is a few software versions behind. Currently on version 7.1.2

I have tried to find anything related in the release notes of the newer versions that might indicate a problem with our current version. I was not able to find this.

Any ideas what might be going on?

Remko

Re: SSL decryption & not working VPN

glastra1 — Mon, 13 Mar 2017 15:47:17 GMT

Per the description sounds like a buffer depletion, I just checked the release notes and there are a couple of fixes on that but I'd recommend you to collect a tech support and open a TAC case to get the right diagnostic.

regards,

Gerardo.

Re: SSL decryption & not working VPN

BPry — Mon, 13 Mar 2017 15:54:13 GMT

@Indorama_Ventures it does sound like buffer depletion, which is multiple fixes were made in later releases. I would recommend upgrading, 7.1.2 was very early in the 7.1 lifecycle and therefore has quite a few bugs that weren't patched until later versions.

Re: SSL decryption & not working VPN

Indorama_Ventures — Tue, 14 Mar 2017 08:04:01 GMT

Thanks both for your answers. We will plan a maintenance window to update both firewalls to their latest version.

Any recommendations to which version? I noticed that version 8.0.0 has been released recently.

Would it be wise to stick with 7.1.8 for now?

Remko

Re: SSL decryption & not working VPN

TranceforLife — Tue, 14 Mar 2017 08:44:22 GMT

I think yes 7.1.8 is the one we also decided to go for now but to be fair you never know which release will work well for your environment.

Re: SSL decryption & not working VPN

BPry — Tue, 14 Mar 2017 14:18:38 GMT

@Indorama_Ventures personally I would not run 8.0 in a production enviroment at all; but that's just me. Stick with 7.1.8 and you shouldn't run into any issues.