SSL Decryption

Reply
L2 Linker

SSL Decryption

Hello,

 

I have a PA-VM running on a ESX server.

I want to set up SSL Decryption on it using a SUBCA certificate chain signed by a PKI (windows server).

I check boxes "Forward to trust/untrusted certifcate"

I export the SUBCA to store it on a client machine (to avoid warning message)

The network is OK

The policy is Any any permit

The SSL decryption policy is set up to decrypt everything

 

The main issue is the Following :

On the client machine, I not allowed to reach any website using HTTPS, the brower is telling me that the connection has been reset... whatever the browser (chrome, IE etc)

 

I can't find anything to solve my issue...

 

Thanks in advance

Regards

Tags (1)
L7 Applicator

Re: SSL Decryption

It doesn't sound like SSL decryption was setup properly. Did you follow any of the guides when you were setting this up? Generally you should at least be getting a message about the certificate not being trusted. I would personally delete the setup that you have currently and follow the guide found here to verify that everything is setup correctly. 

 

https://live.paloaltonetworks.com/t5/Tutorials/How-to-Configure-SSL-Decryption/ta-p/65073#TopicC

L6 Presenter

Re: SSL Decryption

The traffic logs session end reason? What can you see there?

L2 Linker

Re: SSL Decryption

Thanks for your answers.

 

I followed several guides to set up SSL Decryption (including the one you provide).

 

192.168.116.191 is the internal IP (default gateway of the users)

 

I configure it again, using self certifcate, the problem is still there...

 

V1.pngV2.pngV3.pngV4.pngV5.pngV6.png

L6 Presenter

Re: SSL Decryption

L2 Linker

Re: SSL Decryption

I can't access to https://www.vmware.com too :(

 

For your information, I try to set up SSL Decryption on a new PA-820 PANOS8.0, with the same configuration, the problem is the same...

 

What should I do to make it functionnal ?

L6 Presenter

Re: SSL Decryption

Did you actually click on the "confirm security exception" button?

L2 Linker

Re: SSL Decryption

Yes I did :)

 

I very surprised about this issue... the configuration is pretty simple but the troubleshooting is not so easy

L6 Presenter

Re: SSL Decryption

Yeah, the only one thing l have different is on my SSL self gen cert l have  CN as a name,  not ip. Can you test with self-signed certs? 

L2 Linker

Re: SSL Decryption

Yeah I have tested with self signed certificate, please refer to my previous post (screenshots have been posted)

 

CN or IP doesn't matter... right ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!