PA-3020 SSL Decryption Query

Reply
Highlighted
L2 Linker

PA-3020 SSL Decryption Query

Hi, I have enabled SSL decryption (forward proxy) on our PA-3020 firewall. The certificate is generated from our CSR and is installed on our PA-3020. I have set up a separate forward trust and forward untrust certificate. The forward trust certificate has been distributed via windows group policy and resides in the 'intermediate' and 'trusted' cert authorities within windows. I can confirm that the SSL decryption appears to have been set up correctly as demonstrated in the screenshots provided. when accessing 'bbc.com' through the Microsoft EDGE browser I am getting a trusted cert from the PA-3020. When accessing 'badssl.com' in Microsoft EDGE i am getting the correct untrusted certificate from the PA-3020. However, when using Google chrome I am getting an error about weak encryption on the firewall. It states that I am using a weak encryption algorithm. When creating the cert on the PA-3020 I used an RSA algorithm (2048 bits) and a SHA256 digest. Can you advise why the PA-3020 certificate is not working on google chrome?

L7 Applicator

Re: PA-3020 SSL Decryption Query

@Jatin.Singh,

What version of PAN-OS are you running. 

L2 Linker

Re: PA-3020 SSL Decryption Query

@BPry 

 

version 8.0.9

 

I have blocked ‘quic’ on the firewall for my test user.  This still allowed traffic to work using Google Chrome.  However, when I enabled SSL decryption I received the same error in Chrome - NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM. 

L7 Applicator

Re: PA-3020 SSL Decryption Query

@Jatin.Singh,

This could actually be due to Chrome supporting TLS 1.3 and the PAN-OS version you are running not knowing to get out of the way and not attempt to decrypt the traffic. This was either added for PAN-OS 8.0 in 8.0.14 or 8.0.16, I can't recall exactly which one. I would upgrade your firewall to 8.0.19 and see if the issue persists. 

FYI, PAN-OS 8 goes EOL on Oct 31st, I would start planning your upgrade to 8.1. 

L2 Linker

Re: PA-3020 SSL Decryption Query

@BPry 

 

I have upgrade the Palo to  8.1.9 and issue is still there, is there any other solution for this issue?

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!