Solved! Go to Solution.
Nicely explained @BenLassila. The next thing i would do is to create a new “no decrypt” policy pointing to a no decrypt “url category”.
any sites that fail due to decryption attempts can simply be added to the new category.
it maybe something I’m doing wrong but this category for me is ever increasing.
i have noticed several posts regarding similar issues.
In the earlier versions of PanOS for large scale corporate deployments I had to manually add a number of lesser-known Trusted Root certificates. This has got a lot better with PanOS 7.1 and up. In the newest versions of PanOS you have a pre-populated "SSL Decryption Exclusion" list under Device > Certificate Management, which may be used as alternative to your no-decrypt list.
Depending on your risk appetite you can also just allow decrypt errors to be allowed in future attempts. This is set in the Decryption Profile. The failed URL in question then enters a list in memory for which the firewall won't try decrypt again. Your problem could forever go away with the right setting, except that you have less visibility or control over where SSL Decryption is failing.
Hope this helps
@BenLassila... noted. Many thanks.
we do already use the pre populated list. I should have been more specific in saying that we have a no decrypt site specific rule for the sites outside of the pre defined.
i have pretty much configured as you suggested but still get sites that fail on decrypt attempts and have to be added to my extra no decrypt policy.
i will check settings on monday. Dont want to move away to much from the original post.
thanks again for your time.
Reading your experiences is teaching me something about the SSL decryption in the firewall. Diverge from the original as much as you want.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!