https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239122#M68491 <P>seems it was denying&nbsp; on port 80 and some destination ips.</P><P>&nbsp;</P><P>Allowed the port 80 and those destination ips it was good then.</P><P>&nbsp;</P><P>strange the cli gives error&nbsp;</P><PRE>tracker stage firewall : proxy decrypt failure</PRE><P>even though traffic was not decrypted?</P><P>any thoughts on that?&nbsp;</P> Thu, 08 Nov 2018 19:05:08 GMT MP18 2018-11-08T19:05:08Z https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239093#M68484 <P>CLI shows&nbsp;</P><P>&nbsp;</P><P><BR />Session 33880958</P><P>c2s flow:<BR />source: 10.29.32.146 [_DMZ]<BR />dst: 65.55.163.76<BR />proto: 6<BR />sport: 59760 dport: 443<BR />state: INIT type: FLOW<BR />src user: unknown<BR />dst user: unknown</P><P>s2c flow:<BR />source: 65.55.163.76 [_EXT]<BR />dst: 198.160.191.5<BR />proto: 6<BR />sport: 443 dport: 32999<BR />state: INIT type: FLOW<BR />src user: unknown<BR />dst user: unknown<BR />qos node: ae1.3741, qos member N/A Qid 0</P><P>DP : 1<BR />index(local): : 326526<BR />start time : Thu Nov 8 08:56:49 2018<BR />timeout : 90 sec<BR />total byte count(c2s) : 263<BR />total byte count(s2c) : 128<BR />layer7 packet count(c2s) : 3<BR />layer7 packet count(s2c) : 2<BR />vsys : vsys1<BR />application : ssl<BR />rule : interzone-default<BR />session to be logged at end : True<BR />session in session ager : False<BR />session updated by HA peer : False<BR />address/port translation : source<BR />nat-rule :x.x.x<BR />layer7 processing : enabled<BR />URL filtering enabled : True<BR />URL category : computer-and-internet-info<BR />session via syn-cookies : False<BR />session terminated on host : False<BR />session traverses tunnel : False<BR />captive portal session : False<BR />ingress interface : ae1.3741<BR />egress interface : ethernet1/13.4001<BR />session QoS rule : N/A (class 4)<BR />tracker stage firewall : proxy decrypt failure<BR />end-reason : policy-deny</P><P>&nbsp;</P><P>&nbsp;</P><P>Rule is there to allow any app on port 443 tcp</P> Thu, 08 Nov 2018 16:23:23 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239093#M68484 MP18 2018-11-08T16:23:23Z https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239112#M68487 <P>This is because&nbsp;that session was denied for some reason in your security policy.</P><P>&nbsp;</P><P>&nbsp;</P><PRE><SPAN>Session 33880958</SPAN><BR />...<BR />tracker stage firewall : proxy decrypt failure end-reason : <FONT color="#FF0000">policy-deny</FONT></PRE><P>&nbsp;</P><P>This <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0" target="_self">article</A>&nbsp;talks about the setup to ensure that a deny page is displayed (instead of a generic connection error). Your firewall has likely enabled that config, but was unable to display the page to the client. It could be as simple as the client not trusting the cert, which would make sense if you haven't set up decryption for your userbase.</P> Thu, 08 Nov 2018 17:51:35 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239112#M68487 gwesson 2018-11-08T17:51:35Z https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239122#M68491 <P>seems it was denying&nbsp; on port 80 and some destination ips.</P><P>&nbsp;</P><P>Allowed the port 80 and those destination ips it was good then.</P><P>&nbsp;</P><P>strange the cli gives error&nbsp;</P><PRE>tracker stage firewall : proxy decrypt failure</PRE><P>even though traffic was not decrypted?</P><P>any thoughts on that?&nbsp;</P> Thu, 08 Nov 2018 19:05:08 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239122#M68491 MP18 2018-11-08T19:05:08Z https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239124#M68492 <P>The session you pasted before was on port 443, so the port 80 allowance wouldn't have helped this session:</P><P>&nbsp;</P><P>&nbsp;</P><PRE>Session 33880958 c2s flow: source: 10.29.32.146 [_DMZ] dst: 65.55.163.76 proto: 6 sport: 59760 <FONT color="#FF0000">dport: 443</FONT></PRE><P>&nbsp;</P><P>If I had to hazard a guess, it was probably the destination blocks that were in place. But since you do have a next-gen firewall, if you&nbsp;<STRONG>are</STRONG> seeing TLS(ssl) traffic on port 80, the firewall will still know it's TLS and will try to display the block page if it's denied.</P><P>&nbsp;</P> Thu, 08 Nov 2018 19:15:04 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239124#M68492 gwesson 2018-11-08T19:15:04Z https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239128#M68493 <P>on Gui it is&nbsp; showing as&nbsp;</P><P>&nbsp;</P><P>type deny</P><P>&nbsp;</P><P>action reset both</P><P>application ssl&nbsp;</P><P>&nbsp;</P><P>session end reason policy deny</P> Thu, 08 Nov 2018 19:22:47 GMT https://live.paloaltonetworks.com/t5/general-topics/proxy-decrypt-failure-in-session-detail-even-though-no-ssl/m-p/239128#M68493 MP18 2018-11-08T19:22:47Z