If a website or destination only supports ECDHE SSL ciphers, then SSL decryption forward proxy will not work.
This is attributed to the unsupported ECDHE cipher suites, which is not supported for the forward proxy feature.
Let's take a look how the SSL decryption forward proxy feature handles unsupported SSL ECDHE cipher suites.
The client sends an SSL hello to the website or destination host. The client hello includes all the SSL cipher suites it supports, which include the ECDHE cipher suites. The Palo Alto Networks firewall intercepts the client hello packet, selects the supported ciphers from this list (removing the ECDHE ones), re-crafts the SSL client hello and proxies it to the website.
The website or destination host replies with an SSL HANDSHAKE failure: error code 40- unsupported ciphers, if the wesbite does not support non-ECDHE ciphers.
The packet containing 'SSL HANDSHAKE failure: error code 40- unsupported ciphers' is the trigger for the Palo Alto Networks firewall to know that the website or destination host does not support the proposed SSL cipher suites. The Palo Alto Networks firewall gives up decryption for this website and populates its 'ssl-decrypt exclude cache.'
From now on, the Palo Alto Networks firewall will not proxy any subsequent connections to this website or destination host.
The lifetime of the SSL decrypt exclude cache is 12 hours. It persists as long as there's no change made to the decryption policy.
On collecting another packet capture on the firewall in the received and transmit stage and comparing them you can see that SSL ciphers proposed in the client hello, by the actual client machine behind the Palo Alto Networks firewall and the one relayed by the firewall are the same. Thereby SSL decryption forward proxy is bypassed.
Beginning PAN-OS 7.0.1 and onwards
SSLv3 is the minimum version of SSL protocol that is supported. It is not supported in FIPS mode though.
SSL decrypt excludes cache functions in tandem as per the configured parameters.
The server URL/IP, App and decryption profile are put in exclude cache if: Decryption mode is SSL Forward Proxy "Block sessions with unsupported version" and "Block sessions with unsupported cipher suites" are unchecked. The failure is because of the server side, rather than the client side.
It's either in the server hello or in an alert from the server.
For example: PA-VM> show system setting ssl-decrypt exclude-cache
In the above output from the command line of the Palo Alto Networks firewall: VSYS: 1 is the id of the default virtual system 1 (vsys1) SERVER: 126.96.36.199 is the IP address of the website / destination host
APP: ssl, reflects the ssl application
TIMEOUT: 43186 is the lifetime of the cached entry in seconds. The maximum cache lifetime is 12 hours or 43200 secs REASON--SSL_UNSUPPORTED: implies unsupported ssl cipher suites and hence an entry in the exclude cache DECRYPTED_APP: undecided, as the website wasn't decrypted so the firewall doesn't know the underlying application
PROFILE: Decrypt Stream is the name of the decryption profile, which is referenced in the ssl decryption policy.
The cache can be cleared using the following CLI options: PA-VM> debug dataplane reset ssl-decrypt exclude-cache + application application + server server address and port For example: debug dataplane reset ssl-decrypt exclude-cache application ssl server 188.8.131.52:443
Please refer to the PAN-OS new features guide for the enhancements made to SSL decryption feature for more information. New Features Guide
Read this article for more information about unsupported ssl cipher suits: