Palo Alto firewall generates SSL version / cipher suites errors

Reply
Highlighted
L1 Bithead

Palo Alto firewall generates SSL version / cipher suites errors

Hi, i have a very strange issue. I have a webserver protected by a palo alto NGFW, if i disable inbound ssl inspection policies everything works fine and i can access the server as intended. 

 

However when i enable the inbound ssl inspection policy, with the proper certificates imported in the NGFW, i always get SSL version/ Cipher suites errors ( the error nmessage varies depending on the browser i use).

 

I did not configure my browser ( nor the webserver) to enforce specfic algorithms.

The webserver runs on apache.

I use self signed root CA and self-signed certificate for the webserver.

 

 

Thank you for your help

Tags (4)
Highlighted
Cyber Elite

@tombarat,

What does your Decryption Profile look like, can you share that here. 

Highlighted
L1 Bithead

Hello, 

 

I tried using the default decryption profile, and i also tried with no decryption profile ( i was under the impression that this would lead the firewall to accept all SSL versions and ciphers).

After a reboot of the firewall, i no longer get unsupported versions/ciphers error messages, but the firewall systematically resets both client and server before the end of the handshake, leading to a "secure connection failed " error page.

 

Another info that might be useful is that the firewall logs the session as Application ssl over port 443 with the decrypted flag raised.

 

 

Thank you in advance for any insight.

 

 

Highlighted
Cyber Elite

@tombarat,

If you are using a decryption policy you need a decryption profile to associate with it, not having one will not do what you are looking for. The logs that you are talking about are showing the decryption flag because they matched a decryption policy that you have configured, however since you took away the decryption profile it didn't know how to handle the traffic.

Please take a look at the inbound inspection document HERE and verify that you actually have everything setup correctly. Once you've done that verify that the certificate chain is actually marked as a Trusted Certificate Authority on the certificates that you've imported and the full certificate chain is actually on the firewall. If you are missing any of the intermediate certificates then the firewall by default will not trust the certificate. 

Highlighted
L1 Bithead

Hi,

 

I set the decryption profile to default for my inbound ssl decryption policy. Now the traffic is still logged as ssl over port 443, but the decryption flag is down and the session end reason is n/a.

 

The document you provided was the one i used to make the configuration in the first place, the only step not implemented being the wildfire analysis because i don't need it right now and i want to enable features progressively.

 

As for the certificate chain considerations, i am working in a lab environment so my webserver's certificate is self-signed and generated using openssl. It shows in the panorama management console as a CA and trusted root certificate, the status is valid.

 

Thank you again for your help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!