Inbound SSL decryption troubleshooting on PANOS 9

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Inbound SSL decryption troubleshooting on PANOS 9

I am trying to configure URL filtering on an internal SSL web host and having problems.  I've found multiple videos and articles on both URL filtering and inbound SSL decryption but I cannot get it to work.  I've taken a step back and am just trying to verify the SSL decryption is working.  I have uploaded the SSL cert (PKCS12 format) no problem.  Also created the decryption profile and the encryption policy rule.  Finally, I created a general policy to allow the traffic.  All configs were done following the instruction in this video by the Palo Alto community:  https://www.youtube.com/watch?v=oTivQY1RHu4

 

The problem is that I have no way to verify the decryption is working.  Other documentation I have found shows there is a decryption log under Monitor --->  Logs.  However, on PANOS 9 there is no decryption log.    If I look at the Traffic Logs I can see traffic to the SSL web server.  If I click on the details I can see the Decrypted flag is not set so it looks like the traffic is not decrypted.  Without the right logs I am lost as to what is going on.  Is there some log in PANOS 9 that contains more detailed info about decryption?

 

Highlighted
Cyber Elite

@acravens,

What are the logs showing you, are they displaying decrypt-error on the session logs? The first things to look at that are the most common are the following. You're going to need to breakout wireshark on this one.

  • Unsupported cipher suites
  • Unsupported EC curves
  • Server using certificate chains
  • Server sending client certificate verify
  • Server Configured with client certificate auth
  • Client sending SSL alert due to unknown certificate or bad certificate

Personally, you'll usually find that you have a mismatch between supported ciphers or the certificate chain as the most common issues. 

Highlighted
L0 Member

I can't find any logs related to the decryption at all.  Under the Logs section these are the logs I have available:

Traffic

Threat

URL Filtering

Wildfire Submissions

Data Filtering

HIP Match

IP-Tag

User-ID

Tunnel Inspection

Configuration

System

Alarms

Authentication

Unified

 

I've checked all these categories and can find no logs related to SSL decryption.

Highlighted
Cyber Elite

@acravens,

The decrypt-error would be found in your traffic logs under session_end_reason. That's the only logs you'll find on your version of PAN-OS. You'll need to do the verification legwork yourself. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!