This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Decryption causing more sites to fail

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Decryption causing more sites to fail

craymond
L4 Transporter

‎04-20-2016 06:01 AM

Just floating this out to the community. We have had decryption enabled for the past 2 years. In the last 6 months we are adding a new site to the no decrypt category about once a week. We are up to 94 sites that it can't decrypt. Yesterday it was Office365 exchange that stopped woeking, today was the kicker with microsoft updates failing even though we have always had update.microsoft.com in the list not to decrypt. Last week we added Jimmy John's wich we have been using for ever. Is this happening to others?

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
1 person had this problem.
0 Likes Likes
6 REPLIES 6

bmorris1
L4 Transporter

‎04-20-2016 06:39 AM

Hello,

 

More and more web servers are dropping support for RSA.

 

https://notepad-plus-plus.org/

 

is just one of them. 

 

ECDHE ciphers are supported for decryption with the release of 7.1.0. If you are encountering problems where the websites are unable to be decrypted due to unsupported ciphers then it would be worth upgrading to take advantage of the new features.

 

hope this helps,

Ben

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to bmorris1

‎04-20-2016 06:52 AM - edited ‎04-20-2016 06:53 AM

I don't think Jimmy John's is the RSA support issue, because we're cracking it and it's working for us.

 

JimmyJohns.png

 

 

You might want to review your decyption profile @craymond and make sure you've got support for unsupported ciphers.  Though there is a known issue that even though you've got the box checked it still doesn't work, and there for requires admins to bypass SSL Interception for that particular site.  (For reasons like @bmorris1 said, Palo's lack of support of certain ciphers on code versions less than 7.1.X)  Sites have been ramping up using stronger ciphers that until 7.1.X palo didn't support.

 

Also could it be possible that your hardware is running out of resources to support the increased use of SSL across the Internet?  Hardware purchased 3 years ago might be reaching it's limit since pretty much every site is SSL now.

0 Likes Likes

bmorris1
L4 Transporter
In response to Brandon_Wertz

‎04-20-2016 07:16 AM

If it is a resource issue then you can quickly check the pools

 

> debug dataplane pool statistics 

Screenshot_41.png

 

You can also check the counters that match the proxy

 

> show counter global | match proxy

 

It would be worth clearing the exclude cache as well, but you'll see the usage in the pool output.

 

> debug dataplane reset ssl-decrypt exclude-cache

 

hope this helps,

 

Ben

 

0 Likes Likes

craymond
L4 Transporter
In response to bmorris1

‎04-20-2016 11:05 AM

We have it scheduled to upgrade to 7.1, will see if this resolves the issue.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to craymond

‎04-20-2016 01:03 PM

There are quite a few "known issues" with both 7.1.0 and 7.1.1, you might want to evaluate and make sure it's stable for your enviornment.

0 Likes Likes

craymond
L4 Transporter
In response to Brandon_Wertz

‎04-28-2016 06:14 AM

Thank you. I will be contacting my SE to discuss upgrade suggestions.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
0 Likes Likes
  • 4334 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks