https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/281228#M75936 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>version 8.0.9</P><P>&nbsp;</P><P><SPAN>I have blocked ‘quic’ on the firewall for my test user.&nbsp; This still allowed traffic to work using Google Chrome.&nbsp; However, when I enabled SSL decryption I received the same error in Chrome -&nbsp;</SPAN><SPAN>NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM.&nbsp;</SPAN></P> Tue, 06 Aug 2019 05:10:48 GMT Jatin.Singh 2019-08-06T05:10:48Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/280993#M75902 <P>Hi, I have enabled SSL decryption (forward proxy) on our PA-3020 firewall. The certificate is generated from our CSR and is installed on our PA-3020. I have set up a separate forward trust and forward untrust certificate. The forward trust certificate has been distributed via windows group policy and resides in the 'intermediate' and 'trusted' cert authorities within windows. I can confirm that the SSL decryption appears to have been set up correctly as demonstrated in the screenshots provided. when accessing 'bbc.com' through the Microsoft EDGE browser I am getting a trusted cert from the PA-3020. When accessing 'badssl.com' in Microsoft EDGE i am getting the correct untrusted certificate from the PA-3020. However, when using Google chrome I am getting an error about weak encryption on the firewall. It states that I am using a weak encryption algorithm. When creating the cert on the PA-3020 I used an RSA algorithm (2048 bits) and a SHA256 digest. Can you advise why the PA-3020 certificate is not working on google chrome?</P> Mon, 05 Aug 2019 02:24:13 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/280993#M75902 Jatin.Singh 2019-08-05T02:24:13Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/281002#M75905 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/114565">@Jatin.Singh</a>,</P><P>What version of PAN-OS are you running.&nbsp;</P> Mon, 05 Aug 2019 02:35:07 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/281002#M75905 BPry 2019-08-05T02:35:07Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/281228#M75936 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>version 8.0.9</P><P>&nbsp;</P><P><SPAN>I have blocked ‘quic’ on the firewall for my test user.&nbsp; This still allowed traffic to work using Google Chrome.&nbsp; However, when I enabled SSL decryption I received the same error in Chrome -&nbsp;</SPAN><SPAN>NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM.&nbsp;</SPAN></P> Tue, 06 Aug 2019 05:10:48 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/281228#M75936 Jatin.Singh 2019-08-06T05:10:48Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/281362#M75962 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/114565">@Jatin.Singh</a>,</P><P>This could actually be due to Chrome supporting TLS 1.3 and the PAN-OS version you are running not knowing to get out of the way and not attempt to decrypt the traffic. This was either added for PAN-OS 8.0 in 8.0.14 or 8.0.16, I can't recall exactly which one. I would upgrade your firewall to 8.0.19 and see if the issue persists.&nbsp;</P><P>FYI, PAN-OS 8 goes EOL on Oct 31st, I would start planning your upgrade to 8.1.&nbsp;</P> Tue, 06 Aug 2019 17:04:38 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/281362#M75962 BPry 2019-08-06T17:04:38Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/282241#M76053 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>I have upgrade the Palo to&nbsp;<SPAN>&nbsp;8.1.9 and issue is still there, is there any other solution for this issue?</SPAN></P><P>&nbsp;</P> Mon, 12 Aug 2019 05:25:59 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-ssl-decryption-query/m-p/282241#M76053 Jatin.Singh 2019-08-12T05:25:59Z