Issue
With Inbound SSL decryption, after the required configuration and import of all required certificates, the inbound SSL decryption is not working on the web server.
Similarly when using SSL Forward Proxy, sessions are either not getting decrypted and continue to show as application"ssl", or connections are not allowed through as application "ssl" and are instead being interrupted.
Check out the following compatibility matrix to see which cipher suites are supported according to PAN-OS release and feature or function :
Supported Cipher Suites
Using the following CLI command, look for the type of drop message:
> show counter global filter delta yes | match ssl_sess_id_resume_drop
From PAN-OS 6.0 and above, the show counter global command will show if a cipher suite is unsupported.
With a PCAP filter applied and using delta counters:
> show counter global filter packet-filter yes delta yes
or
> show counter global filter delta yes | match "ssl_server_cipher_not_supported"
...
...
ssl_server_cipher_not_supported 2 0 warn ssl pktproc The cipher chosen by server is not supported
Resolution
Disable the unsupported cipher suites on the web server.
owner: panagent