PA-3020 SSL Decryption Query

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-3020 SSL Decryption Query

L3 Networker

Hi, I have enabled SSL decryption (forward proxy) on our PA-3020 firewall. The certificate is generated from our CSR and is installed on our PA-3020. I have set up a separate forward trust and forward untrust certificate. The forward trust certificate has been distributed via windows group policy and resides in the 'intermediate' and 'trusted' cert authorities within windows. I can confirm that the SSL decryption appears to have been set up correctly as demonstrated in the screenshots provided. when accessing 'bbc.com' through the Microsoft EDGE browser I am getting a trusted cert from the PA-3020. When accessing 'badssl.com' in Microsoft EDGE i am getting the correct untrusted certificate from the PA-3020. However, when using Google chrome I am getting an error about weak encryption on the firewall. It states that I am using a weak encryption algorithm. When creating the cert on the PA-3020 I used an RSA algorithm (2048 bits) and a SHA256 digest. Can you advise why the PA-3020 certificate is not working on google chrome?

4 REPLIES 4

Cyber Elite
Cyber Elite

@Jatin.Singh,

What version of PAN-OS are you running. 

@BPry 

 

version 8.0.9

 

I have blocked ‘quic’ on the firewall for my test user.  This still allowed traffic to work using Google Chrome.  However, when I enabled SSL decryption I received the same error in Chrome - NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM. 

@Jatin.Singh,

This could actually be due to Chrome supporting TLS 1.3 and the PAN-OS version you are running not knowing to get out of the way and not attempt to decrypt the traffic. This was either added for PAN-OS 8.0 in 8.0.14 or 8.0.16, I can't recall exactly which one. I would upgrade your firewall to 8.0.19 and see if the issue persists. 

FYI, PAN-OS 8 goes EOL on Oct 31st, I would start planning your upgrade to 8.1. 

@BPry 

 

I have upgrade the Palo to  8.1.9 and issue is still there, is there any other solution for this issue?

 

  • 4870 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!