topic SSL Website won't load with decryption enabled in General Topics https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187019#M56973 <P>Hello.</P><P>&nbsp;</P><P>One of my users was trying to go to:</P><P>&nbsp;</P><P><A href="https://mn.b3benchmarking.com/Launch" target="_blank">https://mn.b3benchmarking.com/Launch</A></P><P>&nbsp;</P><P>We have SSL forward proxy enabled.&nbsp; If I exclude the site from decryption is comes up fine.&nbsp; We are not using any decryption profiles.</P><P>&nbsp;</P><P>Can anyone tell my why the sites won't come up?</P><P>&nbsp;</P><P>I did run a check using</P><P>&nbsp;</P><P><A href="https://www.ssllabs.com/ssltest/analyze.html?d=mn.b3benchmarking.com" target="_blank">https://www.ssllabs.com/ssltest/analyze.html?d=mn.b3benchmarking.com</A></P><P>&nbsp;</P><P>but am not sure how to&nbsp;interpret the output.</P><P>&nbsp;</P><P>Thanks,</P><P>Dannon</P><P>&nbsp;</P> Tue, 14 Nov 2017 21:59:31 GMT dannon 2017-11-14T21:59:31Z SSL Website won't load with decryption enabled https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187019#M56973 <P>Hello.</P><P>&nbsp;</P><P>One of my users was trying to go to:</P><P>&nbsp;</P><P><A href="https://mn.b3benchmarking.com/Launch" target="_blank">https://mn.b3benchmarking.com/Launch</A></P><P>&nbsp;</P><P>We have SSL forward proxy enabled.&nbsp; If I exclude the site from decryption is comes up fine.&nbsp; We are not using any decryption profiles.</P><P>&nbsp;</P><P>Can anyone tell my why the sites won't come up?</P><P>&nbsp;</P><P>I did run a check using</P><P>&nbsp;</P><P><A href="https://www.ssllabs.com/ssltest/analyze.html?d=mn.b3benchmarking.com" target="_blank">https://www.ssllabs.com/ssltest/analyze.html?d=mn.b3benchmarking.com</A></P><P>&nbsp;</P><P>but am not sure how to&nbsp;interpret the output.</P><P>&nbsp;</P><P>Thanks,</P><P>Dannon</P><P>&nbsp;</P> Tue, 14 Nov 2017 21:59:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187019#M56973 dannon 2017-11-14T21:59:31Z Re: SSL Website won't load with decryption enabled https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187139#M56991 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5565">@dannon</a>,</P> <P>&nbsp;</P> <P>What PAN-OS are you running ? Note that older PAN-OS versions have less&nbsp;supported ciphers :</P> <P><A href="https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites" target="_blank">https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites</A></P> <P>&nbsp;</P> <P>The site you mentioned seems to support only&nbsp;older protocols&nbsp; (no TLS 1.1, 1.2 or 1.3).&nbsp; You might have configured a Min version on your firewall.</P> <P>Also you might have configured your decryption in such a way to block unsupported versions.</P> <P>&nbsp;</P> <P>Have you checked the global counters for possible&nbsp;issues ?</P> <P><SPAN>The "show counter global"</SPAN><SPAN>&nbsp;</SPAN>command will show if a cipher suite is unsupported.</P> <P>&nbsp;</P> <P>With a PCAP filter applied and using delta counters:</P> <PRE>&gt; show counter global filter packet-filter yes delta yes</PRE> <P>or</P> <P>&nbsp;</P> <PRE>&gt; show counter global filter delta yes | match "ssl_server_cipher_not_supported" </PRE> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Wed, 15 Nov 2017 09:17:42 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187139#M56991 kiwi 2017-11-15T09:17:42Z Re: SSL Website won't load with decryption enabled https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187244#M57007 <P>After looking at the SSL Labs report for this website and seeing all the issues...&nbsp; Try getting in contact with the website owner to fix their site (I have had to do this myself on several occasions).&nbsp; Then, if they don't fix their site and you still require access, create a decryption policy that excludes this one URL.</P><P>&nbsp;</P><P>We are running PAN-OS 8.0.5, and the webpage doesn't load for me either.&nbsp;&nbsp;</P> Wed, 15 Nov 2017 18:08:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187244#M57007 CTW1983 2017-11-15T18:08:52Z Re: SSL Website won't load with decryption enabled https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187246#M57008 <P>Thanks.</P><P>&nbsp;</P><P>We run 8.0.5 and I'm glad it's not unique to our setup.</P><P>&nbsp;</P><P>I have excluded the website for the time being.</P><P>Dannon</P><P>&nbsp;</P> Wed, 15 Nov 2017 18:46:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-website-won-t-load-with-decryption-enabled/m-p/187246#M57008 dannon 2017-11-15T18:46:15Z