PAN-OS 8.0 Decryption Issue with Firefox and Chrome

Reply
Highlighted
L1 Bithead

Try using different browser.

Had same issue here in LAB. FF returned an error while IE ran just fine. See screenshots.

I assume both browsers try to establish a different SSL connection.

 

 

Highlighted
L1 Bithead

Schermafbeelding 2017-03-08 om 13.44.14.pngSchermafbeelding 2017-03-08 om 13.42.52.png

Highlighted
L3 Networker

Niets veranderen aan de PA een aan aantal uren laten draaien en opeens werkt het.

Na een reboot van de PA weer hetzelfde verhaal.

Highlighted
L3 Networker

PAN-OS 8.0.1 issue still exist.

Highlighted
L0 Member

I can confirm I installed 8.1 on 3 units, all of them had the same issue, No Chrome (google sites) working. Spent a few hours trying different rules and fixes, nothing worked. Then I read the post about waiting X hours, so I waited until the next morning and everything works again, great.  Hopefully it does not return after a reboot and the cycle starts again, X hours for things to work again.

 

Highlighted
L2 Linker

Hi

 

Any news on this? Have been seeing strange behaviour very similar to this with Android 7.1 / Google / PAN 8.0.1. 

 

Thanks 

Highlighted
L2 Linker

David, we had the same issue after upgrading from 7.1.8 to 8.0.1 and after 24 hours it had resolved itself. Our TAC gave us a command that may help:

 

debug dataplane reset ssl-decrypt certificate-cache

 

I've asked them the question to whether this issue resurfaces after a reboot.

 

We also have issue with most of the Google apps including Play Store, the Wiki and Instagram app and decryption. I have a feeling most will have to bypass decryption at the OS level...

Highlighted
L2 Linker

Thanks for this. 

 

Yes - have been chasing why Android phone (Nexus running Android 7.1.1)  when initially connected notifies me of no internet. Think this is now a connectivity check via SSL, if I place a decryption exception I can get past this hurdle so guessing something is pinned in Android. 

 

Also Google play no good, activity feed on Google Now/Assistant no good. Monitoring -> Logs -> Traffic I see session end as "Policy-Deny" on the decrypted traffic - category identified is search engines. 
Do not decrypt - search engines & content delivery networks and everything seems a great deal better. 

 

Ill keep at it. This is all on PAN 8.0.1 with SSL decryption enabled. 

++ update very interesting:-  https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html   looks like Android 7.1.1 has tightened up and possibly mitm no longer possible.

+++ https://serializethoughts.com/2016/09/10/905/

 

Highlighted
L1 Bithead

Hello,

We have that problem on 8.0.1 but we do not use VM series but PA3020. DId you find workaround?

Highlighted
L2 Linker

We also have a 3020, the only workaround we have at the moment is the command I posted earlier (untested) or wait 24 hours and it started working.

 

In terms of Google, et al and their apps not working with decryption, this is currently with our TAC (including the links above from David) and a remote session due this morning...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!