https://live.paloaltonetworks.com/t5/general-topics/ssl-decrypt-on-virtual-wire-deployment-certificate-issue-chrome/m-p/320319#M82050 <P>So, to confirm, you are able to get SSL Decryption working on your firewall with some sites?&nbsp;&nbsp;</P> <P>The only way the SSL Decryption can work properly if the Firewall is the CA, and it generates SSL certificates on the fly for the client machine, in a "man in the middle" function.&nbsp; That CA (Certificate Authority) then is trusted by the client machine, allowing the traffic coming from the Firewall to be trusted, and the Firewall acts as the client to the Public site.</P> <P>But this gets really muddy, really fast when the firewall is in VirtualWire mode with no IP.&nbsp;</P> Thu, 02 Apr 2020 15:06:31 GMT jdelio 2020-04-02T15:06:31Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decrypt-on-virtual-wire-deployment-certificate-issue-chrome/m-p/318604#M81783 <P>I have my PA-200 on virtual wire mode with Captive Portal using SSL Decrypt for all users with Self Signed Certificate.</P><P>When the users try to navigate on crhrome browser to internet they receive NET::ERR_CERT_COMMON_NAME_INVALID that doesn't permit to bypass for go to untrust site. When i manually enter a site that support http or another certificate method, is possible to navigate to the the unsafe site and Captive Portal works very well (Also I have Decryption profile and it also works)</P><P>&nbsp;</P><P>I read that it is common issue on Google, So I manually put a Subject Alternate name on attributes (host, ip, alt-email) to the Certificate, after export to the PC user like a root trust certificate but it doesn't works&nbsp;</P><P>&nbsp;</P><P>On my case, all trust users takes DHCP IPs of the Router above the FW so default gateway is the router IP (virtual wire doesn't provide a FW IP) . I manually generate a certificate with the router IP but still doesn't works <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P><P>Any Idea or suggestion?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WhatsApp Image 2020-03-25 at 19.20.07.jpeg" style="width: 924px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24670i6972C9BF50CFCFF3/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="WhatsApp Image 2020-03-25 at 19.20.07.jpeg" alt="WhatsApp Image 2020-03-25 at 19.20.07.jpeg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WhatsApp Image 2020-03-25 at 19.43.51.jpeg" style="width: 668px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24671i4B4F1ED70A0246BD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="WhatsApp Image 2020-03-25 at 19.43.51.jpeg" alt="WhatsApp Image 2020-03-25 at 19.43.51.jpeg" /></span></P><P>&nbsp;</P> Wed, 25 Mar 2020 22:45:34 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decrypt-on-virtual-wire-deployment-certificate-issue-chrome/m-p/318604#M81783 RPerez11 2020-03-25T22:45:34Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decrypt-on-virtual-wire-deployment-certificate-issue-chrome/m-p/320319#M82050 <P>So, to confirm, you are able to get SSL Decryption working on your firewall with some sites?&nbsp;&nbsp;</P> <P>The only way the SSL Decryption can work properly if the Firewall is the CA, and it generates SSL certificates on the fly for the client machine, in a "man in the middle" function.&nbsp; That CA (Certificate Authority) then is trusted by the client machine, allowing the traffic coming from the Firewall to be trusted, and the Firewall acts as the client to the Public site.</P> <P>But this gets really muddy, really fast when the firewall is in VirtualWire mode with no IP.&nbsp;</P> Thu, 02 Apr 2020 15:06:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decrypt-on-virtual-wire-deployment-certificate-issue-chrome/m-p/320319#M82050 jdelio 2020-04-02T15:06:31Z