SSL Inbound Inspection not working with decrypt-error message

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Inbound Inspection not working with decrypt-error message

L1 Bithead

Hello,

 

I'm trying to setup, for the first time, our SSL Inbound Inspection, but I've some difficulties to achieve the setup.

 

The configuration seems really simple, and I followed this guide:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl-inbound-ins...

 

I'd imported the certificate and intermediate certificate, checked that the root CA exists in the in the Trusted Certificate Authorities (Quovadis Root CA 2) and create a decryption rule.

 

When checking the traffic log, all entries matching the decryption rule returns a decrypt-error as the session end reason.

 

How I can debug this kind of error?

 

Thanks!

1 accepted solution

Accepted Solutions

also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

6 REPLIES 6

L4 Transporter

Hi FTBZ,

 

When you're configuring Inbound inspection you're looking to decrypt traffic that is incoming to a server providing encrypted services, like a HTTPS enabled web-server.

 

To get Inbound inspection to work you'll need to use the same certificate on the firewall (with private key) that you use on the server. You don't need an intermediate certificate for inbound inspection.

 

hope this helps,

Ben

also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Sorry for the late response, didn't get the notification about new message.

 


To get Inbound inspection to work you'll need to use the same certificate on the firewall (with private key) that you use on the server. You don't need an intermediate certificate for inbound inspection. 

 

Exactly what I've done, but thanks.

  



also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers


 Oh, thanks. Perhaps my problem can be here, our Apache configurations have a lot of cipher fine-tuning.


@reaper wrote:

also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers


 

I checked the cipher used during my tests and it's one that's supported by PAN-OS 7.1 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256).

 

We're using Quovadis certificates that need an intermediate one. Someone knows the correct steps to use it? The default CA root exists in the Default Trusted Certificate Autorities. Need I to reupload it to the Device Certificate for using intermediate? The Trusted Root CA checkbox needs to be used for an intermediate? 🤔

 

Finally, figured it out. For SSL Inbound Inspection only RSA key exchange is supported... Found this information in small in the Decryption Profile. Didn't see it before because I used the default one. This information needs really to be added to the documentation and to the page "PAN-OS 7.1 Supported ciphers".


Don't think that disabling ECDHE and using RSA on our web serversis a good choice. Any idea?

L4 Transporter

it is important that your webserver is offering the same of what is supported by palo alto. take a look here:

 

cipher.PNG

  • 1 accepted solution
  • 8923 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!