SSL Inbound Inspection not working with decrypt-error message

Reply
L1 Bithead

SSL Inbound Inspection not working with decrypt-error message

Hello,

 

I'm trying to setup, for the first time, our SSL Inbound Inspection, but I've some difficulties to achieve the setup.

 

The configuration seems really simple, and I followed this guide:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl-inbound-ins...

 

I'd imported the certificate and intermediate certificate, checked that the root CA exists in the in the Trusted Certificate Authorities (Quovadis Root CA 2) and create a decryption rule.

 

When checking the traffic log, all entries matching the decryption rule returns a decrypt-error as the session end reason.

 

How I can debug this kind of error?

 

Thanks!

L4 Transporter

Re: SSL Inbound Inspection not working with decrypt-error message

Hi FTBZ,

 

When you're configuring Inbound inspection you're looking to decrypt traffic that is incoming to a server providing encrypted services, like a HTTPS enabled web-server.

 

To get Inbound inspection to work you'll need to use the same certificate on the firewall (with private key) that you use on the server. You don't need an intermediate certificate for inbound inspection.

 

hope this helps,

Ben

Community Manager

Re: SSL Inbound Inspection not working with decrypt-error message

also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: SSL Inbound Inspection not working with decrypt-error message

Sorry for the late response, didn't get the notification about new message.

 


To get Inbound inspection to work you'll need to use the same certificate on the firewall (with private key) that you use on the server. You don't need an intermediate certificate for inbound inspection. 

 

Exactly what I've done, but thanks.

  



also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers


 Oh, thanks. Perhaps my problem can be here, our Apache configurations have a lot of cipher fine-tuning.

L1 Bithead

Re: SSL Inbound Inspection not working with decrypt-error message


@reaper wrote:

also make sure the server is using a cupher suite that's supported by the firewall : PAN-OS 7.1 Supported ciphers


 

I checked the cipher used during my tests and it's one that's supported by PAN-OS 7.1 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256).

 

We're using Quovadis certificates that need an intermediate one. Someone knows the correct steps to use it? The default CA root exists in the Default Trusted Certificate Autorities. Need I to reupload it to the Device Certificate for using intermediate? The Trusted Root CA checkbox needs to be used for an intermediate? 🤔

 

L1 Bithead

Re: SSL Inbound Inspection not working with decrypt-error message

Finally, figured it out. For SSL Inbound Inspection only RSA key exchange is supported... Found this information in small in the Decryption Profile. Didn't see it before because I used the default one. This information needs really to be added to the documentation and to the page "PAN-OS 7.1 Supported ciphers".


Don't think that disabling ECDHE and using RSA on our web serversis a good choice. Any idea?

Highlighted
kdd
L4 Transporter

Re: SSL Inbound Inspection not working with decrypt-error message

it is important that your webserver is offering the same of what is supported by palo alto. take a look here:

 

cipher.PNG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!