https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247369#M70380 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83148">@Shuaib_Khalid</a>,</P><P>&nbsp;</P><P>The SSL error implies that the client is successfully getting decrypted but they aren't trusting the "Forward Trust" certificate that the firewall is presenting it.</P><P>&nbsp;</P><P>Q1 - Where did you obtain the certificate from? Was it from Active Directory Certificate Server (or PKI equivalent) or self-signed on the firewall?</P><P>Q2 If from PKI, is the machine part of the domain, and have you pushed out this cert to "Trusted Root Certification Authorities" folder via GPO?</P><P>&nbsp;</P><P>If self-signed, the certificate needs to be installed again in the Trusted Root Certification Authorities folder for the local machine.</P><P>&nbsp;</P><P>Q3 - If the certificate marked as CA? Certificate authority?</P><P>&nbsp;</P><P>Cheers,</P><P>Luke.</P> Thu, 24 Jan 2019 14:37:51 GMT LukeBullimore 2019-01-24T14:37:51Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247333#M70378 <P>I have configured SSL decryption with one ISP which is configured via default route and it is working fine. I have another ISP and I configured to forward internet traffic from particular endpoints (same trust zone) to 2nd ISP, for this purpose i created NAT and&nbsp; a PBF rule&nbsp;for those particular endpoints, scenario was working fine till now.</P><P>&nbsp;</P><P>I want decrypt the outgoing internet traffic of 2nd ISP users as well, i created another decryption rule for those users by mentioning destination zone of 2nd ISP, but there is SSL error on end points.</P><P>&nbsp;</P><P>Please help me in this regard.</P> Thu, 24 Jan 2019 12:25:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247333#M70378 Shuaib_Khalid 2019-01-24T12:25:56Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247369#M70380 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83148">@Shuaib_Khalid</a>,</P><P>&nbsp;</P><P>The SSL error implies that the client is successfully getting decrypted but they aren't trusting the "Forward Trust" certificate that the firewall is presenting it.</P><P>&nbsp;</P><P>Q1 - Where did you obtain the certificate from? Was it from Active Directory Certificate Server (or PKI equivalent) or self-signed on the firewall?</P><P>Q2 If from PKI, is the machine part of the domain, and have you pushed out this cert to "Trusted Root Certification Authorities" folder via GPO?</P><P>&nbsp;</P><P>If self-signed, the certificate needs to be installed again in the Trusted Root Certification Authorities folder for the local machine.</P><P>&nbsp;</P><P>Q3 - If the certificate marked as CA? Certificate authority?</P><P>&nbsp;</P><P>Cheers,</P><P>Luke.</P> Thu, 24 Jan 2019 14:37:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247369#M70380 LukeBullimore 2019-01-24T14:37:51Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247579#M70428 <P>Hi Luke,</P><P>&nbsp;</P><P>Thank for responding on the query, below are answers of your questions.</P><P>&nbsp;</P><P>Q1 - Where did you obtain the certificate from? Was it from Active Directory Certificate Server (or PKI equivalent) or self-signed on the firewall?</P><P>Ans: Certificate is self singed generated from Palo Alto</P><P>&nbsp;</P><P>Q2 If from PKI, is the machine part of the domain, and have you pushed out this cert to "Trusted Root Certification Authorities" folder via GPO?</P><P>Ans: I have manually imported the certificate on testing machines in Trusted Root of all browsers</P><P>&nbsp;</P><P>If self-signed, the certificate needs to be installed again in the Trusted Root Certification Authorities folder for the local machine.</P><P>&nbsp;</P><P>Q3 - If the certificate marked as CA? Certificate authority?</P><P>Ans: Yes, the certificate is marked as CA.</P><P>&nbsp;</P><P>When i put testing machin on ISP 1 there no certificate error, decryption is succesfull and i got proper application detection but when i put the same machine on ISP 2 it gives SSL error.</P><P>&nbsp;</P><P>Some Important points:</P><P>I have one SSL certificate on the firewall and two decryption policies for ISP1 and ISP2 users.</P><P>ISP1 is configured with default route while traffic is forwarding to ISP via PBF</P><P>Both ISPs are in different untrust zones</P><P>Source Zone is same</P><P>If i disable SSL decryption policy for ISP2 then browsing was succesfull</P><P>&nbsp;</P><P>Any guess??</P> Fri, 25 Jan 2019 12:58:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247579#M70428 Shuaib_Khalid 2019-01-25T12:58:50Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247581#M70429 <P>Can you take a screenshot of the certificate message you are getting? Is it something like Unknown Certificate authority?</P><P>&nbsp;</P><P>If you then click the padlock in chrome -&gt; certificate -&gt; certification path. Are any certificate(s) in this path showing as red X?<BR />&nbsp;That would mean they are not imported into the Trusted Root CA Store.</P><P>&nbsp;</P><P>PBF should not break forward proxy.</P> Fri, 25 Jan 2019 13:09:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247581#M70429 LukeBullimore 2019-01-25T13:09:06Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247786#M70500 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Chrome_error.JPG" style="width: 676px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18471i411568560EB7D005/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Chrome_error.JPG" alt="Chrome_error.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Chrome_error1.JPG" style="width: 431px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18470iD36833F83C46342C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Chrome_error1.JPG" alt="Chrome_error1.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Firefox_error.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18473iFDB11672340FC4F9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Firefox_error.JPG" alt="Firefox_error.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Firefox_error1.JPG" style="width: 625px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18472iA297A664E257759C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Firefox_error1.JPG" alt="Firefox_error1.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="traffic_logs(Successfull decryption).JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18474iF7DFCC2F5169D030/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="traffic_logs(Successfull decryption).JPG" alt="traffic_logs(Successfull decryption).JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="traffic_logs(Unsuccessfull decryption).JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18475i3256634CEAE5F35C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="traffic_logs(Unsuccessfull decryption).JPG" alt="traffic_logs(Unsuccessfull decryption).JPG" /></span></P> Mon, 28 Jan 2019 14:23:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247786#M70500 Shuaib_Khalid 2019-01-28T14:23:31Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247787#M70501 <P>Hi Luke,</P><P>&nbsp;</P><P>Appologize for delayed response, i have attached some screenshots in above message mentioning the SSL error in Chrome &amp; Firefox, i have also attached traffic logs for ISP1 (Succesfull Decryption) and ISP2 (Unsuccesfull Decryption).&nbsp;</P><P>&nbsp;</P><P>Note: Non SSL sites are working fine on ISP2.</P> Mon, 28 Jan 2019 14:26:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247787#M70501 Shuaib_Khalid 2019-01-28T14:26:43Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247788#M70502 <P>What do you see if anything, when you click on "View Certificate" ?</P><P>&nbsp;</P><P>Regards ... Leslie</P> Mon, 28 Jan 2019 14:28:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247788#M70502 LeslieGomba 2019-01-28T14:28:20Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247791#M70505 <P>Nothing happens on clicking "View Certificate".</P> Mon, 28 Jan 2019 15:00:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-not-working-with-policy-based-forwarding/m-p/247791#M70505 Shuaib_Khalid 2019-01-28T15:00:15Z