Palo alto certificate error?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Palo alto certificate error?

L2 Linker

hi all,

 

I am using PA-850 and configure certificate decryption. I am having the problem with this. when I configured to decrypt for any source, client would get the error "ERR_SSL_VERSION_OR_CIPHER_MISMATCH", and could not access to any websites. 

 

But when I configured to decrypt some client only in source, it worked well.  I dont know if It was overload at certficate decrypton. please help to advise me on this. I have about 600 users.

 

thanks

9 REPLIES 9

Cyber Elite
Cyber Elite

@Chivas,

You'll have to provide a bit more information on your end to get a meaningful recommendation. The PA-850 supports a max concurrent session limit for decryption of 19,200, so you could possibly be running into that depending on your setup but not with that error message. 

Can you post how you have your decryption profile setup, and how exactly you had configured the decryption policy. 

Hi BPry,

 

I am using defaut decryption profile like below picturedefault profile.png

and the policy is:

 

from source: Any -- to -- Destination: Untrust. Option: Decrypt. Type: SSL Forward Proxy.  Decryption profile: Default

 

The session count: about 23.200/196606

 

and when I use "show session all filter ssl-decrypt yes count yes" it displays 3329

 

 

 

Thanks

@Chivas,

So if you're using the default decryption profile the end client should still be able to access most sites. You may have to install the certificate that you're using to decrypt the traffic to get pass security warnings presented by the browser about not being a trusted website, but it shouldn't prevent you from accessing the site. 

Can you verify on your security policies that you don't have anything blocking the traffic? When you setup decryption you'll start to see web-browsing come across on tcp/443, make sure that you're allowing this traffic to actually pass in your security rulebase. By default this doesn't fall under 'application-default' and some people miss it when setting up decryption for the first time. 

hi BPry,

 

Yes. I installed the certificate on clients. and allow any source to access internet. 

 

If I disable the dcryption policy or add some clients in to source address, clients could access internet without any errors.

but if I add "any" in source, all clients will get the error when access internet.

 

it worked normally for some weeks ago. just happen recenty two days.

Are users using Chrome?

Does it work with IE?

Are you using latest 8.1.4 PANOS?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

hi Raido,

 

It doesn't work with chrome, firefox, IE,...

 

I am using 8.0.2 PANOS. I will update Pan OS and try to see if it works.

L2 Linker

Were you able to resolve this issue? 

L2 Linker

I have similar issue where I'm getting "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" while decrypting inbound traffic. I'm doing it for single user. 

Community Team Member

Hi @hpatel11 ,

 

Sounds like you're hitting an unsupported cipher.

 

Do a PCAP and check the client and server hello's and negotiation and match them against the compatibility matrix.

Check out this KB:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMaTCAW

 

and check the compatibility matrix matching your PAN-OS:

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 6435 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!