SSL Decryption Woes

Reply
L1 Bithead

SSL Decryption Woes

Hi,

 

I am not able to get to https://platinum.netnames.com/ with SSL decryption on, on PAN 7.0.1 / PA-3020 (IE11 / FF40 == TLS failure). Also, speed seems capped to 3Mbit/s with some CDNs (S3 AWS). Am I missing something?

 

thanks.

L5 Sessionator

Re: SSL Decryption Woes

The website "https://platinum.netnames.com" is using unsupported cipher suite (TLS_ECDHE_RSA is not supported.) that's why you are having issues while opening that website. Refer to following documnet

 

https://live.paloaltonetworks.com/t5/Articles/SSL-Decryption-Not-Working-due-to-Unsupported-Cipher-S...

 

L7 Applicator

Re: SSL Decryption Woes

Hi,

 

This site only supporty ciphersuites with forward secrecy (ciphers with ECDHE or DHE). Those ciphers are not supported by the ssl decryption feature of paloalto.

 

These are the supported ciphers of this website:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

source: https://www.ssllabs.com/ssltest/analyze.html?d=platinum.netnames.com

 

Hope this helps.

 

Regards,

Remo

L1 Bithead

Re: SSL Decryption Woes

That's what I suspected, however I don't understand why can't it be handled in a graceful manner (aka simply not decrypting) ? It is not very convenient to whitelist on incident (neither it is practical). It would be nice if PaloAlto could maintain a category of such sites on their own so we just have to exclude it from decryption and everybody benefits from it.

Is anyone using SSL Decrypt in the field with a lot of URL categories?

 

thanks for your input.

L5 Sessionator

Re: SSL Decryption Woes

Some server uses non standard cipher suites that  why PA cannot decrypt them. However PAOS 7.0 can decrypt more traffic than previous versions.

 

Regards,

Pankaj Kumar

Highlighted
L6 Presenter

Re: SSL Decryption Woes

I totally feel your pain and agree...I've actually got a case open right now on this very issue.  The amount of TLS1.2 sites that fail to load because of unsupported cipher suites the palo doesn't support is kinda crazy.

 

Then compounding the issue is the "Page can't be disaplayed" error users get in IE.  At least Chrome give users a "Connection Closed Error" which does indicate something actually happened.

 

On your decryption profile you should be able to allow connection to SSL sites with "Unsupported ciphers" which I've actually got set to allow, but the 5060 still isn't allowing the connection.  So TAC is investigating.

L1 Bithead

Re: SSL Decryption Woes

FWIW I am the only user of the solution (demo unit), and I am thinking of turning off SSL decryption given the number of issues it causes. I can't imagine the number of tickets I would get with 1K+ users on it.

How is TAC dealing with these issues from your experience?

Thanks!

L6 Presenter

Re: SSL Decryption Woes

Oddly enough, it's still worth it.

 

Not all sites run TLS1.2.  There have been plenty of cases where decrypted content has enabled the threat service to find malware.

 

There are also a fair amount of sites running TLS1.2 that the device does support FB, Youtube, Webmail, as well as other governmental websites.

L6 Presenter

Re: SSL Decryption Woes

As far as TAC support on this TLS issue.  I've only had the case open for about 12 hours.  We'll see how things progress.

L2 Linker

Re: SSL Decryption Woes

I've got about 1k users and I am decrypting all traffic. Currently running 7.0.1 on a pair of 3050s. 7.x has definitely improved the situation as they fixed a bug that prevented many pages from loading even with the unsupported cipher bypass enabled. You still run into situations like the one you described, but not nearly as many as before. I generally have 2-3 unblock requests per week so it is managable for now. I expect that number to go up in the future as more sites begin using cipher suites that the Palos can't handle. I'm hoping Palo is putting time into supporting more suites as decryption is one of the foundations of their app-id.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!