We are using PANOS URL Filtering and SSL Decryption, and we reject a variety of SSL certificate problems such as expired certificates, SHA-1 signing, etc. When one of our users hits one of these web sites, they get a "block" page. This invariably leads them to submit a request to have the site unblocked, without any additional information.
We have been unable to find any log on the Monitor tab of the firewall console that will give us the reason why the certificate was rejected. At most we get traffic logs with "aged-out." Is this information being collected by PANOS? Is it available anywhere in the console? How do other people diagnose these blocks?
Solved! Go to Solution.
show system setting ssl-decrypt exclude-cache
show counter global filter delta yes | match ssl_sess_id_resume_drop
Here is a link with even more detail which may be helpful, though not as helpful as just adding this in the traffic log detail, which unfortuneately is not currently a supported feature. Reach out to you sales engineer and request this be added as a feature in a future release.
Palo does provide a response page for SOME cert issues:
Specifically for things like an expired certificate I've seen this page come up. However for things like certificate negotiation issues I've only ever seen a "Page Can't Be Displayed" browser page. The only way I've found to diagnose the issue is to perform a packet capture. Doing this you can see a "Fatal Certificate Error" in the SSL/TLS negotiation.
When things like the later occur it's very frustating because for one users tend to think there's a problem with a distant end...and/or when the ticket comes to a less experienced technician they don't even think about certificate issues and performing such in-depth analysis.
Thanks to both of you for the suggestions. I did reach out to our sales engineer to request the log as a feature. A custom response page is probably going to be our best bet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!