I am not able to get to https://platinum.netnames.com/ with SSL decryption on, on PAN 7.0.1 / PA-3020 (IE11 / FF40 == TLS failure). Also, speed seems capped to 3Mbit/s with some CDNs (S3 AWS). Am I missing something?
The website "https://platinum.netnames.com" is using unsupported cipher suite (TLS_ECDHE_RSA is not supported.) that's why you are having issues while opening that website. Refer to following documnet
This site only supporty ciphersuites with forward secrecy (ciphers with ECDHE or DHE). Those ciphers are not supported by the ssl decryption feature of paloalto.
These are the supported ciphers of this website:
Hope this helps.
That's what I suspected, however I don't understand why can't it be handled in a graceful manner (aka simply not decrypting) ? It is not very convenient to whitelist on incident (neither it is practical). It would be nice if PaloAlto could maintain a category of such sites on their own so we just have to exclude it from decryption and everybody benefits from it.
Is anyone using SSL Decrypt in the field with a lot of URL categories?
thanks for your input.
Some server uses non standard cipher suites that why PA cannot decrypt them. However PAOS 7.0 can decrypt more traffic than previous versions.
I totally feel your pain and agree...I've actually got a case open right now on this very issue. The amount of TLS1.2 sites that fail to load because of unsupported cipher suites the palo doesn't support is kinda crazy.
Then compounding the issue is the "Page can't be disaplayed" error users get in IE. At least Chrome give users a "Connection Closed Error" which does indicate something actually happened.
On your decryption profile you should be able to allow connection to SSL sites with "Unsupported ciphers" which I've actually got set to allow, but the 5060 still isn't allowing the connection. So TAC is investigating.
FWIW I am the only user of the solution (demo unit), and I am thinking of turning off SSL decryption given the number of issues it causes. I can't imagine the number of tickets I would get with 1K+ users on it.
How is TAC dealing with these issues from your experience?
Oddly enough, it's still worth it.
Not all sites run TLS1.2. There have been plenty of cases where decrypted content has enabled the threat service to find malware.
There are also a fair amount of sites running TLS1.2 that the device does support FB, Youtube, Webmail, as well as other governmental websites.
I've got about 1k users and I am decrypting all traffic. Currently running 7.0.1 on a pair of 3050s. 7.x has definitely improved the situation as they fixed a bug that prevented many pages from loading even with the unsupported cipher bypass enabled. You still run into situations like the one you described, but not nearly as many as before. I generally have 2-3 unblock requests per week so it is managable for now. I expect that number to go up in the future as more sites begin using cipher suites that the Palos can't handle. I'm hoping Palo is putting time into supporting more suites as decryption is one of the foundations of their app-id.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!