08-29-2015 02:25 PM - edited 08-29-2015 02:27 PM
Yesterday i upgraded my pa vm-100 from panos-7.01 to 7.02.
After that facebook stopped working with SSL decryption on.
After some testing and troubleshooting this seems to be the problem.
The problem is that some akamai domains that facebook uses gives me an palo alto certificate untrusted page.
for example this domain: https://fbcdn-profile-a.akamaihd.net
The strange thing is all the certificates used by this domain are already in de PA trusted cert auth list.
Just to be sure i downloaded the certs and added them manually to the PA, but no difference.
After spending 2 hours debugging en trying to get it work,
off course i can exclude those domains from decryption or or let the PA ingnore untrusted certs but thats not the way to do it. i downgraded to panos 7.0.1 and the untrusted cert problem dissapeared.
Are more people having this issue? i think there are more sites that stop working after the upgrade.
Does anyone found a solution?
09-01-2015 01:14 PM
I had this same issue on my 5050 units and had to roll back to 7.0.1 to fix. This issue affected multiple sites including www.paloaltonetworks.com.
09-03-2015 06:13 AM
Any updates from the TAC cases?
09-04-2015 11:27 AM
Long call with TAC. No resolution besides rolling back to 7.0.1. Scheduling a maintenance window to roll back. Maybe 7.0.2 will join it's 7.0.0 cousin.
09-06-2015 11:27 PM
Hi,
Seems like TAC is struggling to find the problem here and also reproduce it.
Can those of you that have opened up cases on this share the case numbers? That way we can make sure that supports know that this problem is common for many users.
My casenumber is 00371068
/Jo Christian
09-08-2015 05:09 AM
Case 00372222
@Sully wrote:Long call with TAC. No resolution besides rolling back to 7.0.1. Scheduling a maintenance window to roll back. Maybe 7.0.2 will join it's 7.0.0 cousin.
09-15-2015 06:56 AM
Same problem here. 7.0.2 on PA-3020. Reproducable with www.yahoo.com.
Case Number: 00377771.
Anyone heared something from TAC regarding this issue?
09-16-2015 02:03 AM
Please let me know if this helps:
1) Instead of creating a separate cert to use as a forward untrust, try using the existing cert as both, forward trust and forward untrust.
2) Disable blocking of any untrusted issuers in the certificate profile or try disabling the cert profile altogether.
09-16-2015 07:23 AM
Having the same issues here as well. Funny thing is that I was seeing this for a few sites on 6.1.5 as well before moving to 7.0.2, but not nearly as often (like once a week someone would say Amazon wasn't working then it would "fix" itself randomly).
Some examples for us are eBay (https://signin.ebay.com/), Konica (https://www.mykmbs.com), Trustwave (www.trustwave.com), and ATT (https://businessdirect.att.com).
The interesting thing is that occasionlly i can get the eBay site to work in Chrome if i just keep hitting refresh, however I can never get it to work IE11.
Our decryption policy does not contain anything complicated (just trust to untrust) and does not utilize a decryption profile. I tried enabling the "default" decryption profile but that did not make any difference. I haven't tried creating a custom profile and playing around with any settings as of yet.
Case: 00378726
09-21-2015 11:15 AM
We were having the same issue and had to roll back to 7.0.1, PA confirmed the bug (case #00371611) and said it'd be fixed for 7.0.3.
09-21-2015 11:54 AM
any ideas when 7.0.3 will be released? Downtime to go back to 7.0.1 and then again (if soon) for 7.0.3 isn't going to be well received. would be great to have release date visibility
09-22-2015 08:04 AM
I was told by TAC 7.0.3 would be released the week of Oct 19.
10-15-2015 12:40 AM - edited 10-15-2015 12:59 AM
PANOS 7.0.3 is out. According the release note this bug should have been fixed.
edit:
I did some some smoke tests with 7.0.3 and for me the bug is fixed
10-20-2015 08:23 AM
From what I can tell this does in fact seem to be fixed in 7.0.3.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
