07-15-2019 10:58 AM
Hi Guys,
I'm experiencing issue where one of the site is not accessible when the decryption profile is enable with no decryption for SSL forward proxy. After disabling the block untrusted issue I'm able to access the site.
I'm facing this issue in PA 850 Platform PANOS 8.1.8. We have upgraded the PANOS from 8.1.7 to 8.1.8.
Also would like to add the certificate are in default trust certificate store.
site is https://www.axa-portal.com, Have anyone experience this behaviour.
Regards
Venky
07-15-2019 01:13 PM
The intermediary cert in that chain is not trusted by default on the firewall; you will need to manually add it and mark it as a trusted certificate to get the website to function with a decryption policy attached.
07-15-2019 01:13 PM
The intermediary cert in that chain is not trusted by default on the firewall; you will need to manually add it and mark it as a trusted certificate to get the website to function with a decryption policy attached.
07-15-2019 11:01 PM
Hi @BPry
Thanks for your reply, I have tried to replicate this issue in my lab. I'm not seeing the same issue.
My lab firewall doesn't have intermediate certificate trusted in default trust store but the website works fine.
Also I'm seeing this error DECRYPT_CERT_VALIDATION only after upgrading from PANOS 8.1.7 to 8.1.8.
07-17-2019 03:41 AM
Hi @BPry
Thanks for your help, It works after adding certificate and marking it as trusted.
Regards
Venky
07-17-2019 10:03 AM
Is there a better way to proceed than manually adding certs that are missing in the chain? Or is it just kind of stuck the way it is? I'm guessing once these certs expire, you either find out the hard way, or monitor the certs in your store to keep an eye on anything getting close to expiration?
07-17-2019 10:08 AM
If there is I don't know about it, I believe that you're just kind of stuck managing the cert as you would if you had imported your own. The benefit is that usually the big public Certificate authorities will start using a different intermediarry instead of renewing the cert, so you essentially just have to add the new certificate and then remove any that actually expire.
07-17-2019 10:12 AM
Ah. I see. Thank you very much for the insight. Good to know!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
