05-31-2014 01:38 AM
Hi!
I see a strange problem with the combination of content-filtering and decryption:
- Decryption is on
- Facebook is declared as "block-continue"
If I open "http://www.facebook.de" the block-continue-page appears - pressing continue forwards me to "https://www.facebook.com" and everything is fine.
30 minutes later, I try to access "https://www.facebook.com", but instead of showing the block-continue-page, the browser (tested with Firefox and Chrome) does just show
SSL Connection Error
ERR_SSL_PROTOCOL_ERROR
The only workaround, I found was to access the "http-site" of facebook to get back the block-continue-page of my PA.
Did you ever see that behaviour?
I am using software release 5.0.11 at the moment.
Regards,
Phil
05-31-2014 04:28 AM
This sounds like a bug. I don't see anything like this on the list of addressed issues in PAN-OS 5.0.12 either.
I would open a ticket to get this reported and into the bug database for a fix.
05-31-2014 06:53 AM
Hello Pstriker,
Could you please verify, what version of TLS you are getting during SSL handshake. The SSL versions supported by PAN-OS 5.0.x are: SSLv3, TLS1.0, and TLS1.1.
If you are getting a connection on TLS version 1.2, you can change the browser settings to use a lower TLS version and let us know the result. Also make sure, below mentioned settings is unchecked if you have a "decryption profile" configured on your firewall during the test.
Thanks
05-31-2014 06:54 AM
FYI:
Google Chrome: In order to enable TLS 1.0 in Chrome do the following:
1. Click the wrench icon:
2. Choose Options
3. Select "Under the Hood" Tab
4. Click Change proxy settings
5. Select "Advanced" Tab
6. Scroll down and check TLS 1.0
7. Close and restart all open browsers.
Thanks
05-31-2014 07:54 AM
Hello Hulk!
I have checked my settings: TLS 1.0 is already enabled, but block-continue-pages are not displayed for https-sites.
My decryption profile does not block sessions with unsupported cipher suites. I double-checked this.
I think, the problem is the combination of content filter and decryption:
- Content-Filter is working fine
- Decryption is working fine
The combination fails because, I do not get the "block-continue-page".
Do you have any other idea?
Regards,
Phil
05-31-2014 09:49 AM
Hello Phil,
Could you please take a TCP FLOW_BASIC, CTD to get some more details information.
Thanks
05-31-2014 10:22 AM
Hello Hulk,
can you please explain me what you mean with "TCP FLOW_BASIC, CTD"?
Regards,
Phil
06-01-2014 10:10 AM
Hello Phil,
Please find below doc for the same:
Packet Capture, Debug Flow-basic and Counter Commands
Thanks
06-01-2014 10:53 PM
Hello Hulk!
It is absolutely strange! Today morning, the problem has still been there and now, it is working without changing anything!
What is the Packet Capture, you need? How should I set the filter?
Regards,
Phil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
