This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Inbound SSL decryption - Digicert

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Inbound SSL decryption - Digicert

raji_toor
L4 Transporter

‎08-11-2020 02:47 PM

If inbound SSL inspection when using Digicert certificate is not supported, what is the alternative. We have many web-servers using same wildcard cert used for GlobalProtect and wanted use this same certificate but it doesn't work. Is there any other mechanism to implement inbound SSL inspection.

0 Likes Likes
15 REPLIES 15

Remo
L7 Applicator
In response to raji_toor

‎08-15-2020 04:55 AM

Hi @raji_toor 

You now reached a point where it is at least possible, that something on the firewall ist not compatible with the F5. So at this point I would recommend to open a support case and then continue with the following troubleshooting (these logs will also be required in the support case). 

Obbiously you need to change the IPs and maybe also the port, depending on your configuration

  • clear counter global
  • debug dataplane packet-diag clear all
  • debug dataplane packet-diag clear log log
  • debug dataplane packet-diag set filter match source 1.1.1.1 destination 2.2.2.2 destination-port 443 protocol 6
  • debug dataplane packet-diag set log feature proxy basic
  • debug dataplane packet-diag set log feature flow basic
  • debug dataplane packet-diag set log on
  • debug dataplane packet-diag set capture on

Then you connect to the VIP with decryption enabled and right after that enter the following command. In the output, maybe you already see a specific counter which could lead to the reason of the problem

  • show counter global filter packet-filter yes

Try to connect a second time and then stop the logging and capture

  • debug dataplane packet-diag set log off
  • debug dataplane packet-diag set capture off

Then aggregate the logs. The output of the command will show you the filename that you need to analyze

  • debug dataplane packet-diag aggregate-logs

Prior to analyze the logfile start now with generating a techsupportfile (for the supportcase)

Maybe for analysis you want to copy the logile away from the firewall to open it in a texteditor but of course you can also view it in cli. About here I don't know what to do exactly, I would scroll through the logs to find something that maybe shows the reason why the TLS handshake fails after the client hello.

 

0 Likes Likes
  • 9348 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks