topic Re: if ssl inbound decryption failed，the session will be block or ？ in General Topics

if ssl inbound decryption failed，the session will be block or ？

Felixcao — Wed, 27 May 2020 07:25:34 GMT

The custtomer want to config ssl inbound decrypaion for internal server。 They do not want this configuration to affect existing web services。 I checked the relevant information, i think the firewall in Inbound Inspection mode, PAN-OS will not act as a proxy with SSL traffic matching the policy. PAN-OS will try to decrypt this SSL traffic 'on-the-fly' by eavesdropping the SSL handshake and using associated Certificate (Key Pair) configured in decryption policy ， so if the firewall decryption failed， should the session be unaffected or blck，drop （Even if this policy actions are allowed） Reference url： https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK

Re: if ssl inbound decryption failed，the session will be block or ？

Adrian_Moechel — Wed, 27 May 2020 14:59:49 GMT

If RSA keys are used, the Firewall decrypts on-the-fly, if PFS keys are used the firewall has to use man-in-the-middle like the ssl forwarding proxy.

So from my expirience as long as RSA keys are used the connection opens, no matter if the firewall was able to decrypt it or not, but with PFS keys (DHE,ECDHE) it wont open if decryption fails.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection.html#id8e14546e-d8d9-485b-a936-64119ef7ad61

Re: if ssl inbound decryption failed，the session will be block or ？

Felixcao — Wed, 27 May 2020 15:27:28 GMT

Yes, I agree with your point of view, according to what the article should mean, thank you very much for your reply