Decrypt Errors on SSL Inbound Inspection After Upgrading to PAN-OS 8.0
83453
Created On 09/26/18 20:46 PM - Last Modified 09/22/21 03:28 AM
Symptom
SSL inbound policies worked when configured on PAN-OS 7.1, but after upgrading to 8.0, some of the sessions fail, and the logs show decrypt errors. Below is an example of a failed session:
admin@firewall> show session id 318075 Session 318075 c2s flow: source: 200.0.0.1 [Untrust] dst: 100.0.0.1 proto: 6 sport: 56272 dport: 25 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 192.168.1.100 [Trust] dst: 200.0.0.1 proto: 6 sport: 25 dport: 56272 state: INIT type: FLOW src user: unknown dst user: unknown start time : Wed Apr 17 14:04:30 2019 timeout : 15 sec total byte count(c2s) : 3975 total byte count(s2c) : 5583 layer7 packet count(c2s) : 13 layer7 packet count(s2c) : 16 vsys : vsys1 application : smtp rule : Inbound-SMTP session to be logged at end : True session in session ager : False session updated by HA peer : False address/port translation : destination nat-rule : smtp(vsys1) layer7 processing : enabled URL filtering enabled : True URL category : business-and-economy session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ae1 egress interface : ae2 session QoS rule : N/A (class 4) tracker stage firewall : proxy decrypt failure tracker stage l7proc : ctd proc changed end-reason : policy-deny
Environment
PAN-OS 8.0 and above. SSL inbound inspection configured.
Cause
Prior to PAN-OS 8.0, inbound inspection was completely passive. Since the firewall has the certificate and the private key, the firewall can decrypt on the fly without a need to proxy. Starting on PAN-OS 8.0, Diffie-Hellman exchange (DHE) or Elliptic Curve Diffie-Hellman exchange (ECDHE) are supported.
Since these two protocols use Perfect Forward Secrecy (PFS), the firewall acts as a man-in-the-middle proxy between the external client and the internal server. Because PFS generates a new key with every session, the firewall can’t simply copy and decrypt the inbound SSL flow as it passes through, the firewall must act as a proxy device.
The firewall is now acting as a proxy, and if the firewall is unable to complete the SSL handshake, the session is terminated due to decrypt-errors. Common reasons for decrypt failures are:
– Unsupported ciphers suites
– Unsupported EC curves
– Server using certificate chains
– Server sending client certificate verify
– Server configured with client certificate authentication
– Client sending SSL alert due to unknown certificate or bad certificate
Resolution
Additional Information
For additional information on SSL inbound inspection, please review this article: SSL Inbound Inspection.