topic Re: Inbound SSL decryption troubleshooting on PANOS 9 in General Topics

Inbound SSL decryption troubleshooting on PANOS 9

acravens — Mon, 05 Oct 2020 19:36:36 GMT

I am trying to configure URL filtering on an internal SSL web host and having problems. I've found multiple videos and articles on both URL filtering and inbound SSL decryption but I cannot get it to work. I've taken a step back and am just trying to verify the SSL decryption is working. I have uploaded the SSL cert (PKCS12 format) no problem. Also created the decryption profile and the encryption policy rule. Finally, I created a general policy to allow the traffic. All configs were done following the instruction in this video by the Palo Alto community: https://www.youtube.com/watch?v=oTivQY1RHu4

The problem is that I have no way to verify the decryption is working. Other documentation I have found shows there is a decryption log under Monitor ---> Logs. However, on PANOS 9 there is no decryption log. If I look at the Traffic Logs I can see traffic to the SSL web server. If I click on the details I can see the Decrypted flag is not set so it looks like the traffic is not decrypted. Without the right logs I am lost as to what is going on. Is there some log in PANOS 9 that contains more detailed info about decryption?

Re: Inbound SSL decryption troubleshooting on PANOS 9

BPry — Mon, 05 Oct 2020 19:50:24 GMT

@acravens,

What are the logs showing you, are they displaying decrypt-error on the session logs? The first things to look at that are the most common are the following. You're going to need to breakout wireshark on this one.

Unsupported cipher suites
Unsupported EC curves
Server using certificate chains
Server sending client certificate verify
Server Configured with client certificate auth
Client sending SSL alert due to unknown certificate or bad certificate

Personally, you'll usually find that you have a mismatch between supported ciphers or the certificate chain as the most common issues.

Re: Inbound SSL decryption troubleshooting on PANOS 9

acravens — Mon, 05 Oct 2020 20:04:11 GMT

I can't find any logs related to the decryption at all. Under the Logs section these are the logs I have available:

Traffic

Threat

URL Filtering

Wildfire Submissions

Data Filtering

HIP Match

IP-Tag

User-ID

Tunnel Inspection

Configuration

System

Alarms

Authentication

Unified

I've checked all these categories and can find no logs related to SSL decryption.

Re: Inbound SSL decryption troubleshooting on PANOS 9

BPry — Mon, 05 Oct 2020 20:13:54 GMT

@acravens,

The decrypt-error would be found in your traffic logs under session_end_reason. That's the only logs you'll find on your version of PAN-OS. You'll need to do the verification legwork yourself.