https://live.paloaltonetworks.com/t5/general-topics/use-mp-ssl-session-cache/m-p/237789#M68131 <P>Thanks for reply.</P><P>Going forward will do that.</P><P>PAN OS&nbsp;8.0.9</P><P>&nbsp;</P><P>model: PA-5220</P><P>&nbsp;</P><P>show system setting ssl-decrypt session-cache</P><P>Queued message buffers to MP: 0<BR />Total messages to MP: 103628501 (1984004)<BR />hosts (client/server) id/ticket age cipher_c cipher_s user<BR />--------------------------------------------------------------------------------</P><P>&nbsp;</P><P>I will not modify the settings.</P><P>I see there lot of sssl conenctions</P><P>&nbsp;</P><P>Are these SSL conections for active traffic?</P><P>Can you please explain me in more detail cache ssl sessions in MP?</P> Tue, 30 Oct 2018 15:10:39 GMT MP18 2018-10-30T15:10:39Z https://live.paloaltonetworks.com/t5/general-topics/use-mp-ssl-session-cache/m-p/237644#M68090 <P>when i run the below command&nbsp;</P><P>&nbsp;</P><P>show system setting ssl-decrypt setting</P><P>&nbsp;</P><P>vsys : vsys1<BR />Forward Proxy Ready : yes<BR />Inbound Proxy Ready : no<BR />Disable ssl : no<BR />Disable ssl-decrypt : no<BR />Notify user : no<BR />Proxy for URL : no<BR />Wait for URL : yes<BR />Block revoked Cert : yes<BR />Cert Status Query Timeout : 5<BR />URL Category Query Timeout : 5<BR />Fwd proxy server cert's rsa key size: 0<BR />Fwd proxy server cert's ecdsa key size: 0<BR />Use Cert Cache : yes<BR />Verify CRL : no<BR />Verify OCSP : no<BR />CRL Status receive Timeout : 5<BR />OCSP Status receive Timeout : 5<BR /><FONT color="#993300">Use MP SSL Session Cache : yes</FONT><BR />Use TCP SACK Option : yes</P><P>&nbsp;</P><P>Need to understand do we use MP for ssl decryt???????</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 29 Oct 2018 17:39:06 GMT https://live.paloaltonetworks.com/t5/general-topics/use-mp-ssl-session-cache/m-p/237644#M68090 MP18 2018-10-29T17:39:06Z https://live.paloaltonetworks.com/t5/general-topics/use-mp-ssl-session-cache/m-p/237784#M68128 <P>Please include your PAN-OS version and platform if possible when posting questions, it can really help in diagnosing issues.</P><P>&nbsp;</P><P>Some platforms (such as PA-5000 and the older PA-7000 NPCs) don't have enough memory on the DP to effectively cache SSL sessions compared to how many decryption sessions they support. The setting you see leverages the MP memory to store the SSL session cache instead, giving the system the ability to effectively keep up with the demand of the platform. It's enabled by default, and can be modified by:</P><P>&nbsp;</P><PRE>&gt; configure # set deviceconfig setting ssl-decrypt use-mp-sess-cache &lt;yes|no&gt; # commit</PRE><P>I wouldn't recommend touching it though, since it is working as designed. Removing it could cause your DP CPU to increase since it has less cache space for resuming previously-negotiated decrypted SSL (TLS) sessions. You can see&nbsp;the cache&nbsp;activity with:</P><P>&nbsp;</P><PRE>&gt; show system setting ssl-decrypt session-cache </PRE><P>&nbsp;</P> Tue, 30 Oct 2018 14:58:02 GMT https://live.paloaltonetworks.com/t5/general-topics/use-mp-ssl-session-cache/m-p/237784#M68128 gwesson 2018-10-30T14:58:02Z https://live.paloaltonetworks.com/t5/general-topics/use-mp-ssl-session-cache/m-p/237789#M68131 <P>Thanks for reply.</P><P>Going forward will do that.</P><P>PAN OS&nbsp;8.0.9</P><P>&nbsp;</P><P>model: PA-5220</P><P>&nbsp;</P><P>show system setting ssl-decrypt session-cache</P><P>Queued message buffers to MP: 0<BR />Total messages to MP: 103628501 (1984004)<BR />hosts (client/server) id/ticket age cipher_c cipher_s user<BR />--------------------------------------------------------------------------------</P><P>&nbsp;</P><P>I will not modify the settings.</P><P>I see there lot of sssl conenctions</P><P>&nbsp;</P><P>Are these SSL conections for active traffic?</P><P>Can you please explain me in more detail cache ssl sessions in MP?</P> Tue, 30 Oct 2018 15:10:39 GMT https://live.paloaltonetworks.com/t5/general-topics/use-mp-ssl-session-cache/m-p/237789#M68131 MP18 2018-10-30T15:10:39Z