Block sessions if resources not available" configuration in Decryption Profile"
17957
Created On 09/25/18 17:41 PM - Last Modified 02/23/23 04:28 AM
Symptom
In the Decryption Profile, there is an option to choose "Block sessions if resources not available" for SSL Forward Proxy and SSL Inbound inspection. What do we mean if resources are not available?
Environment
- Palo Alto Firewall
- PAN-OS 8.1
- SSL Decryption
- Block sessions if resources not available
Resolution
Block sessions if resources not available will kick in when the:
- Maximum number of decrypted sessions has been reached
- Client Hello references the SSL session ID, which we do not have in the firewall cache anymore
- Decrypt packet buffers are depleted
Dataplane resources utilization is not monitored with this configuration.
Contact Support if assistance is needed to resolve the issue,