topic Re: SSL inbound inspection wildcard certificate in General Topics

SSL inbound inspection wildcard certificate

dkordyban — Tue, 20 Dec 2016 21:59:18 GMT

Trying to configure ssl inbound inspection for one of my web sites hosted internally. The IIS server has many sites being served thru host headers. All of the SSL bound sites use the same wildcard certificate *.external-domain-name on this server. I export this cert with key and import into pa.

I make decryption policy to match a specific url in url category for the site I am testing with. When I watch the monitor i see session_end_reason eq decrypt-unsupport-param in session end reason. I am not sure what I am doing wrong.

Wildcard certs not supports for inbound inspection maybe?

Thanks for reading.

Re: SSL inbound inspection wildcard certificate

mlinsemier — Tue, 20 Dec 2016 22:26:30 GMT

What version of PAN-OS are you running? If you are using newer crypto on your certificates you will need PAN-OS 7.1 or higher.

Re: SSL inbound inspection wildcard certificate

dkordyban — Wed, 21 Dec 2016 11:39:20 GMT

running 7.1.5

Re: SSL inbound inspection wildcard certificate

dkordyban — Sun, 03 Jun 2018 18:31:00 GMT

We are still looking for a fix with this. We have since upgraded to 8.0.5 and it still doesnt work. Anyone had any success with this?

Re: SSL inbound inspection wildcard certificate

Remo — Sun, 03 Jun 2018 18:39:30 GMT

Hi @dkordyban

Does your IIS only accept connections with SNI or does it serve also a default website for connections without SNI? Did you capture traffic between the firewall and the webserver -> does the firewall send the SNI attribute?

Did you open a support case regarding this issue?