PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Reply
L1 Bithead

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Same problem here. 7.0.2 on PA-3020. Reproducable with www.yahoo.com.

Case Number: 00377771.

Anyone heared something from TAC regarding this issue?

 

L0 Member

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Please let me know if this helps:

 

1) Instead of creating a separate cert to use as a forward untrust, try using the existing cert as both, forward trust and forward untrust.

 

2) Disable blocking of any untrusted issuers in the certificate profile or try disabling the cert profile altogether.

 

 

L3 Networker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Having the same issues here as well.  Funny thing is that I was seeing this for a few sites on 6.1.5 as well before moving to 7.0.2, but not nearly as often (like once a week someone would say Amazon wasn't working then it would "fix" itself randomly).

 

Some examples for us are eBay (https://signin.ebay.com/), Konica (https://www.mykmbs.com), Trustwave (www.trustwave.com), and ATT (https://businessdirect.att.com).

 

The interesting thing is that occasionlly i can get the eBay site to work in Chrome if i just keep hitting refresh, however I can never get it to work IE11.

 

Our decryption policy does not contain anything complicated (just trust to untrust) and does not utilize a decryption profile.  I tried enabling the "default" decryption profile but that did not make any difference.  I haven't tried creating a custom profile and playing around with any settings as of yet.

 

Case: 00378726

L2 Linker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

We were having the same issue and had to roll back to 7.0.1, PA confirmed the bug (case #00371611) and said it'd be fixed for 7.0.3.

L3 Networker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

any ideas when 7.0.3 will be released? Downtime to go back to 7.0.1 and then again (if soon) for 7.0.3 isn't going to be well received. would be great to have release date visibility

L1 Bithead

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

I was told by TAC 7.0.3 would be released the week of Oct 19.

L3 Networker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

PANOS 7.0.3 is out. According the release note this bug should have been fixed.

 

edit:

I did some some smoke tests with 7.0.3 and for me the bug is fixed

Highlighted
L2 Linker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

From what I can tell this does in fact seem to be fixed in 7.0.3.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!