After uprading my lab to pan-os 8.0 The forward Decryption failed when using Firefox and Chrome.
IE 11 en Edge still works.
For example when i go to www.google.com,
Chrome displays: www.google.com uses an unsupported protocol.
Firefox: Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP
In the PA logs: Session end Reason = decrypt-error.
PA continues the tradition to break decryption on new major releases ;)
Does anyone else have same issue?
What version were you running in your lab prior to moving to 8.0? It sounds like the same problem I had when I moved from 7.0.x to 7.1.x where in 7.1 they changed the default behavior in app-id and I had to make sure my outbound rules from "application-default" to "any".
PanOS-8.0 is going to have a large number of issues, I remember upgrading to one of the beta versions a couple months back and it broke everything on the box. It continued to go through a reboot cycle until I was finally able to catch is correctly to jump into maint mode. It wasn't the simple you have 5 seconds to type "maint", it would jump past that 9/10 times and just restart the cycle all over again. :(
It seemed to break because there was some config on there from 7.1 and it did not accept anything. I had to go and factory reset a 200 to have no configuration whatsoever before putting 8.0 on it.
It finally works now but its still strange.
What did i do:
It al VM so i reverted the snapshot to the previous (working) 7.1.7 snapshot.
For panos-8 you need to modify your VM "hardware" increase mem to 6.5 Gb and the disk size needs to be 60 GB
But the last time i only increased the memory, so for this time i also increase the disk from 40 to 60GB
After the disksize increase i upgraded to 8.0 again.
Then started the vm100 and that was it for that day, i did not test it or use it.
Today(1 day later) i want to examine the decryption issue further, but its started working immediately.
I have the same issue and its affecting all google domains on Chrome and Firefox but the weird thing its working fine on Internet Explorer!
Do I need to downgrade to resolve this?
If the VM that you are using (if using a VM) meets requirements, then yes you will likely need to revert to get things working again. I've seen that sometimes the upgrade itself causes an issue and simply reinstalling 8.0 gets things working again. Seeing as 8.0 is a brand new major software version I would advise that most people stick with 7.1.* as 8.0 is not yet a recommended release.
First: Open a case with TAC
I did some more research after my issue.
Immediately after installing or rebooting a panos 8.0 firewall this issue is present.
The issue disappeared by just waiting x hours whitout changing anything.
Yet i don't no what the minimum time for x is.
In my test i waited approx 12 hours
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!