Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content-Filter and Decryption - ERR_SSL_PROTOCOL_ERROR

L0 Member

Hi!

I see a strange problem with the combination of content-filtering and decryption:

- Decryption is on

- Facebook is declared as "block-continue"

If I open "http://www.facebook.de" the block-continue-page appears - pressing continue forwards me to "https://www.facebook.com" and everything is fine.

30 minutes later, I try to access "https://www.facebook.com", but instead of showing the block-continue-page, the browser (tested with Firefox and Chrome) does just show

          SSL Connection Error

          ERR_SSL_PROTOCOL_ERROR

The only workaround, I found was to access the "http-site" of facebook to get back the block-continue-page of my PA.

Did you ever see that behaviour?

I am using software release 5.0.11 at the moment.

Regards,

Phil

8 REPLIES 8

L7 Applicator

This sounds like a bug.  I don't see anything like this on the list of addressed issues in PAN-OS 5.0.12 either.

I would open a ticket to get this reported and into the bug database for a fix.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L7 Applicator

Hello Pstriker,

Could you please verify, what version of TLS you are getting during SSL handshake. The SSL versions supported by PAN-OS 5.0.x are: SSLv3, TLS1.0, and TLS1.1.

If you are getting a connection on TLS version 1.2, you can change the browser settings to use a lower TLS version and let us know the result. Also make sure, below mentioned settings is unchecked if you have a "decryption profile" configured on your firewall during the test.

Decryption profile.JPG

SSL Decrypt

Thanks

L7 Applicator

FYI:

Google Chrome: In order to enable TLS 1.0 in Chrome do the following:

1. Click the wrench icon:

2. Choose Options

3. Select "Under the Hood" Tab

4. Click Change proxy settings

5. Select "Advanced" Tab

6. Scroll down and check TLS 1.0

7. Close and restart all open browsers.

Thanks

Hello Hulk!

I have checked my settings: TLS 1.0 is already enabled, but block-continue-pages are not displayed for https-sites.

My decryption profile does not block sessions with unsupported cipher suites. I double-checked this.

I think, the problem is the combination of content filter and decryption:

- Content-Filter is working fine

- Decryption is working fine

The combination fails because, I do not get the "block-continue-page".

Do you have any other idea?

Regards,

Phil

Hello Phil,

Could you please take a TCP FLOW_BASIC, CTD  to get some more details information.

Thanks

Hello Hulk,

can you please explain me what you mean with "TCP FLOW_BASIC, CTD"?

Regards,

Phil

Hello Phil,

Please find below doc for the same:

Packet Capture, Debug Flow-basic and Counter Commands

Thanks

Hello Hulk!

It is absolutely strange! Today morning, the problem has still been there and now, it is working without changing anything!

What is the Packet Capture, you need? How should I set the filter?

Regards,

Phil

  • 5018 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!