SSL Decryption in different countries?

Reply
L1 Bithead

SSL Decryption in different countries?

Hello All,

 

Starting to deploy 100+ firewalls worldwide. Have configured SSL decryption for General Browsing rule.

A template has been configured in Panorama, so they all have the exact same setup.

North America and Europe locations I tested are OK. Tried a Brazil office yesterday and if decryption is enabled, for very basic sites like UPS and Fedex, it becomes super slow - sometimes does not even finish loading the page at all. As soon as I disable decryption in this Brazilian branch, all seems to be working fine. Looked into the logs and there were many failures (decrypt-error) for the Session-End Reason. I do not have similar logs in other branch offices in North America and Europe.

 

What would be your input on that?

 

Thanks!

 

R.

L2 Linker

Re: SSL Decryption in different countries?

Hi @Rievax 

 

Decrypt-error tells us the ciphers used by the web server are not supported/matched with the ciphers enabled on decryption profile. Can you verify that.

Regards, Nagarjuna 

L1 Bithead

Re: SSL Decryption in different countries?

Hello @nagarjuna.b 

 

Thanks for the answer.

 

This morning, I did re-enable decryption again for a specific test workstation but had none of those Decrypt-errors I had yesterday at implementation time... No clue from where is was coming. To answer more specifically your question, the Decryption profile is quite open (like the Default) and the web site goes with TLS 1.2, ECDHE_RSA with P-256, and AES_256_GCM... which is exactly what PA generates when decryption is enabled. That being said, the loading page delays are still there.

 

Focusing on UPS.COM web site, when decryption is enabled in this particular location (big city in Brazil), it takes 5 seconds to load the root site (/) and 5 to 7 minutes to load some JPGs and GIF files (numbers are coming from Developer Tools in Firefox / Chrome) - making the page virtually hang. Disabling decryption makes this site display in about a second. I did not see any kind of related information in Data Filtering / Wildfire Submissions logs. In other Office Locations around the globe that I tested, I did not have these delays with decryption enabled.

 

Interestingly, many other sites are just working OK but also notice delays in loading (or non-loading) images. I though that could be an interesting point.

 

Any help / clues are appreciated. Thanks!

 

R.

 

L7 Applicator

Re: SSL Decryption in different countries?

Hello,

Have you looked at the logs to make sure nothing is getting blocked? OR taken any pcaps to see if there are a lot of retransmits or other issues?

 

Just some thoughts.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!