SSL Decryption Not Working due to Unsupported Cipher Suites

by panagent on ‎01-13-2012 08:18 AM - edited on ‎11-10-2017 04:03 AM by (38,710 Views)


With Inbound SSL decryption, after the required configuration and import of all required certificates, the inbound SSL decryption is not working on the web server.


Similarly when using SSL Forward Proxy, sessions are either not getting decrypted and continue to show as application"ssl", or connections are not allowed through as application "ssl" and are instead being interrupted.


Check out the following compatibility matrix to see which cipher suites are supported according to PAN-OS release and feature or function :


Supported Cipher Suites


Using the following CLI command, look for the type of drop message:

> show counter global filter delta yes | match ssl_sess_id_resume_drop


From PAN-OS 6.0 and above, the show counter global command will show if a cipher suite is unsupported.

With a PCAP filter applied and using delta counters:

> show counter global filter packet-filter yes delta yes


> show counter global filter delta yes | match "ssl_server_cipher_not_supported"




ssl_server_cipher_not_supported 2 0 warn ssl pktproc The cipher chosen by server is not supported



Disable the unsupported cipher suites on the web server.


See Also

Palo Alto Networks Supported SSL/TLS Version and Cipher Suites for Web UI


owner: panagent

by Kim_Hansen
on ‎10-22-2014 09:48 AM


When will Palo Alto support Forward Secrecy?

Specially the Elliptic Curve cryptography (ECDHE) cipher suites.

...because ECDHE suites are faster than DHE suites.

- Kim

by Kim_Hansen
on ‎11-12-2014 02:43 AM


Yesterday Microsoft discovered som issues in in Schannel that could Allow Remote Code Execution (2992611) - MMS14-066 - Critical:

Microsoft Security Bulletin MS14-066 - Critical

They also implemented the following New cipher suites:





When will at least the TLS_RSA cipher suites be supported?

- Kim

by mr.linus
on ‎05-18-2015 06:37 AM

cipher suites update:

PanOS 6.0.x - 6.1.x.

(No cipher suit sets have been added in 6.1.x. since 6.0.x)

SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 supported;

RSA key sizes 512-8192-bits supported;









(It is not documented yet, but you can rely on what you see in Decryption profile > SSL protocol Settings.

Combination of Encryption and Authentication algorithms make all possible cipher suites.)




MD5, SHA1, SHA256, SHA384

Scope also depends on the protocol version: SSLv3.0, TLSv1.0, TLSv1.1, TLSv1.2

by sobanskipalo
on ‎06-16-2015 09:02 AM

Anybody have an edit for to ensure my server only negotiates the supported ciphers?

by thomas.schmitz
on ‎07-29-2015 11:43 PM

In the current implementation probably never. Decrypting PFS requires reverse proxy mechanisms which are not part of PAN OS right now.

by EdwinD
on ‎05-08-2016 07:54 AM

Regarding this

>>When will Palo Alto support Forward Secrecy?

>>>In the current implementation probably never.


Never say never.  Palo Alto Networks firewalls now support PFS when performing SSL Forward Proxy decryption. PFS ensures that data from the session undergoing SSL Forward Proxy decryption cannot later be retrieved in the event that server private keys are compromised. You can enforce Diffie-Hellman key exchange-based PFS (DHE) and/or elliptic curve Diffie-Hellman-based PFS (ECDHE) with SSL Forward Proxy.


New in PanOS 7.1 - Perfect Forward Secrecy (PFS) Support with SSL Forward Proxy Decryption


PFS Documentation ( PanOS 7.1 )



(I am a customer of Palo Alto Networks products, not an employee.)



by thomas.schmitz
on ‎07-25-2016 11:53 PM

@EdwinD: That goes for forward decryption which ever was proxy-based. This article is about inbound decryption and as I said, we would require reverse-proxy-like functionality if PAN would ever allow us to decrypt PFS inbound.

Ignite 2018
Ask Questions Get Answers Join the Live Community