topic Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR in General Topics

Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

PStricker — Sat, 31 May 2014 08:38:33 GMT

Hi!

I see a strange problem with the combination of content-filtering and decryption:

- Decryption is on

- Facebook is declared as "block-continue"

If I open "http://www.facebook.de" the block-continue-page appears - pressing continue forwards me to "https://www.facebook.com" and everything is fine.

30 minutes later, I try to access "https://www.facebook.com", but instead of showing the block-continue-page, the browser (tested with Firefox and Chrome) does just show

SSL Connection Error

ERR_SSL_PROTOCOL_ERROR

The only workaround, I found was to access the "http-site" of facebook to get back the block-continue-page of my PA.

Did you ever see that behaviour?

I am using software release 5.0.11 at the moment.

Regards,

Phil

Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

pulukas — Sat, 31 May 2014 11:28:06 GMT

This sounds like a bug. I don't see anything like this on the list of addressed issues in PAN-OS 5.0.12 either.

I would open a ticket to get this reported and into the bug database for a fix.

Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

HULK — Sat, 31 May 2014 13:53:07 GMT

Hello Pstriker,

Could you please verify, what version of TLS you are getting during SSL handshake. The SSL versions supported by PAN-OS 5.0.x are: SSLv3, TLS1.0, and TLS1.1.

If you are getting a connection on TLS version 1.2, you can change the browser settings to use a lower TLS version and let us know the result. Also make sure, below mentioned settings is unchecked if you have a "decryption profile" configured on your firewall during the test.

SSL Decrypt

Thanks

Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

HULK — Sat, 31 May 2014 13:54:52 GMT

FYI:

Google Chrome: In order to enable TLS 1.0 in Chrome do the following:

1. Click the wrench icon:

2. Choose Options

3. Select "Under the Hood" Tab

4. Click Change proxy settings

5. Select "Advanced" Tab

6. Scroll down and check TLS 1.0

7. Close and restart all open browsers.

Thanks

Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

PStricker — Sat, 31 May 2014 14:54:27 GMT

Hello Hulk!

I have checked my settings: TLS 1.0 is already enabled, but block-continue-pages are not displayed for https-sites.

My decryption profile does not block sessions with unsupported cipher suites. I double-checked this.

I think, the problem is the combination of content filter and decryption:

- Content-Filter is working fine

- Decryption is working fine

The combination fails because, I do not get the "block-continue-page".

Do you have any other idea?

Regards,

Phil

Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

HULK — Sat, 31 May 2014 16:49:36 GMT

Hello Phil,

Could you please take a TCP FLOW_BASIC, CTD to get some more details information.

Thanks

Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

PStricker — Sat, 31 May 2014 17:22:05 GMT

Hello Hulk,

can you please explain me what you mean with "TCP FLOW_BASIC, CTD"?

Regards,

Phil

Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

HULK — Sun, 01 Jun 2014 17:10:25 GMT

Hello Phil,

Please find below doc for the same:

Packet Capture, Debug Flow-basic and Counter Commands

Thanks

Re: Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

PStricker — Mon, 02 Jun 2014 05:53:20 GMT

Hello Hulk!

It is absolutely strange! Today morning, the problem has still been there and now, it is working without changing anything!

What is the Packet Capture, you need? How should I set the filter?

Regards,

Phil