https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/210990#M61577 <P>thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>.</P><P>&nbsp;</P><P>I figured the decryption follows the top/down. Do you have any thoughts why the traffic does not generate url any https logs for the unencrypted sites on this host when the decrpyt errors occur?&nbsp;</P> Thu, 19 Apr 2018 16:25:18 GMT clewis1 2018-04-19T16:25:18Z https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/210743#M61522 <P>Hoping to get a little feed back regarding inbound ssl decryption.</P><P>&nbsp;</P><P>We have beeing doing inbound ssl decryption to our public presense on version 8.0.7.</P><P>&nbsp;</P><P>Things have been going realitivley well but I am running into some issues and not sure if I can fix it at the firewall level. Where I am running into issues is when we have multiple certs applied on a load balancer to a single ip which is behind the firewall.&nbsp;</P><P>&nbsp;</P><P>example:</P><P>ip address 1.2.3.4 (following sites all resolve to this ip this single ip addresss)</P><P>&nbsp;</P><P>decrypt rule 1 = use cert on lb (wildcard cert *.domain.com) to 1.2..3.4</P><P><A href="http://www.domain.com" target="_blank">www.domain.com</A>, bob.domain.com, ie.domain.com (all using *.domain.com) - decrpyting as expected no issue</P><P>&nbsp;</P><P>decrypt rule 2 =&nbsp;<SPAN>use cert on lb (*.domain1.com) to 1.2.3.4</SPAN></P><P>domain1.com, cars.domain1.com - no decryption happening, traffic logs&nbsp;show session end reason of decrpyt-error, no url traffic logs (for https, if site is http url logs will appear as expected)- but I can get to the website as normal.&nbsp;</P><P>&nbsp;</P><P>Also other sites (<A href="http://www.domain3.com" target="_blank">www.domain3.com</A>, domain4,com, etc) on this&nbsp; ip 1.2.3.4 with a different domain and no decrypt rule have same symptoms as decrypt rule 2.</P><P>&nbsp;</P><P>My question is there a way to decrypt&nbsp;to a single ip using multiple certs? Also is there an explanation behind why https url logs do not show when decryption erros occur in traffic logs?</P><P>&nbsp;</P><P>All testing has been completed with IE and Chrome</P><P>&nbsp;</P> Wed, 18 Apr 2018 14:04:26 GMT https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/210743#M61522 clewis1 2018-04-18T14:04:26Z https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/210783#M61537 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41709">@clewis1</a>,</P><P>The rules are all analyzed in a top/down manner; therefore the first decryption policy that matches the source and destination is going to be the decryption policy that is applied. Unless you use the source as a differentation between the policies then something like this is not going to work.&nbsp;</P> Wed, 18 Apr 2018 15:57:04 GMT https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/210783#M61537 BPry 2018-04-18T15:57:04Z https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/210990#M61577 <P>thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>.</P><P>&nbsp;</P><P>I figured the decryption follows the top/down. Do you have any thoughts why the traffic does not generate url any https logs for the unencrypted sites on this host when the decrpyt errors occur?&nbsp;</P> Thu, 19 Apr 2018 16:25:18 GMT https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/210990#M61577 clewis1 2018-04-19T16:25:18Z https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/211220#M61637 <P>Add custom URL category (for single domain) in decryption policy.</P> Fri, 20 Apr 2018 23:40:22 GMT https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/211220#M61637 blabla 2018-04-20T23:40:22Z https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/211221#M61638 <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/Resolving-the-URL-Category-in-Decryption-When-Multiple-URLs-Use/ta-p/62573" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Resolving-the-URL-Category-in-Decryption-When-Multiple-URLs-Use/ta-p/62573</A></P> Fri, 20 Apr 2018 23:44:45 GMT https://live.paloaltonetworks.com/t5/general-topics/inbound-ssl-decryption-multi-cert-to-single-ip/m-p/211221#M61638 blabla 2018-04-20T23:44:45Z