11-19-2024 12:53 PM
We updated PANOS (on Friday before h6 was released on Sat) to 10.1.14-h4, rebooted and now our users are sporadically complaining about when using google Chrome (Edge not effected), getting a "Your connection is not private" NET::ERR_CERT_AUTHORITY_INVALID - specifically going to some banking sites (Chase.com, being a major culprit). Doesn't happen to everyone, and is very sporadic, then starts working later on. The only change we did was the 10.1.14 upgrade. We are not decrypting financial sites, and you can see Chase's cert in chrome - however adding to no-decrypt sometimes helps the user. I noticed our user-decrypt-profile is limited to TLS 1.2 (so maybe that's the issue) but called support (hasn't been helpful) next step is updating to h6. Any ideas or suggestions would be greatly appreciated! thanks in advance
11-19-2024 08:07 PM
Hi @AlonTabak ,
Its likely that the websites you are getting those errors on are using tls 1.3:
Test this out by modifying your decryption profile and set min version to 1.2 and max version to max.
11-20-2024 06:25 AM
Thanks for the recommendation but no dice (just yet). Added TLS 1.3/Max as an option (which is good to have in either case), but still an issue with specific banking sites Chase, Merril, etc (only for some users). Palo support recommends flow based debugging as a next step, and I'm upgrading to the latest 10.1.14-h6 on Friday as another option.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
