05-26-2013 11:18 AM
Hi,
there are various settings in the decryption profile and also under Device -> Sessions -> Decryption Certificate Revocation Settings to controll how the firewall should deal with expired or self-signed certificates etc. I am currently testing these things in a Lab and I am having difficulties to see any differences in the firewall's behavior when I change any of these settings.
Example: decryption profile allows expired certificates. I can surf to a site that has an expired certificate. Now I change the decryption profile to block expired certificates but I can still open the same website. When I reboot the firewall, I can no longer open that website. So there is obviously some sort of caching going on and the fine print on the bottom of the decryption profile options dialog confirms that (it says 12 hours).
Is there some way I can control this cache or delete it without rebooting the firewall? I need to be able to change these settings so that they have an immediate effect.
Also, as a side question:
Say I have a profile that blocks expired certificates. Can I make exceptions to that? Some sort of whitelist?
Thank
05-26-2013 11:22 AM
Oh, and as a third question: Where in the logs do I find SSL related messages like drops on expired certificates? I know how to find out whether a session was decrypted or not, but how do I dig deeper if I need to troubleshoot something or just filter on "all expired certificates" and things like that?
05-27-2013 06:27 PM
A1. "debug dataplane reset ssl-decrypt certificate-cache" command will do the job. (This will also reset the SSL connection of Admin GUI).
A2. If it's kind of hostname based whitelist, I don't think it's possible.
A3. To see if the session is denied by expired cert, show session id <id number>" might help. It shows "session tracker stage deny : proxy decrypt failure". There might be better way to check.
Some other commands,
- show system setting ssl-decrypt ?
> certificate Show ssl-decrypt certificate
> certificate-cache Show ssl-decrypt certificate cache
> exclude-cache Show ssl-decrypt exclude cache
> memory Show ssl-decrypt memory usage
> notify-cache Show ssl-decrypt notify cache
> session-cache Show ssl-decrypt session cache
> setting Show ssl-decrypt settings
- debug dataplane reset ssl-decrypt ?
> certificate-cache Clear all ssl-decrypt certificate cache in dataplane
> certificate-status Clear all ssl-decrypt certificate CRL status cached in dataplane
> exclude-cache Clear all exclude cache in dataplane
> host-certificate-cache Clear all SSL certificates stored in host
> notify-cache Clear all ssl-decrypt notify-user cache in dataplane
> session-cache Clear all ssl-decrypt session cache in dataplane
05-28-2013 12:00 AM
Awesome, Yasu. Very helpful! Thanks a lot!
07-28-2016 05:27 PM
Can we automate to clear ssl cert cache in PA ? Do we have to do it manually everytime ?
@ymiyashita wrote:A1. "debug dataplane reset ssl-decrypt certificate-cache" command will do the job. (This will also reset the SSL connection of Admin GUI).
A2. If it's kind of hostname based whitelist, I don't think it's possible.
A3. To see if the session is denied by expired cert, show session id <id number>" might help. It shows "session tracker stage deny : proxy decrypt failure". There might be better way to check.
Some other commands,
- show system setting ssl-decrypt ?
> certificate Show ssl-decrypt certificate
> certificate-cache Show ssl-decrypt certificate cache
> exclude-cache Show ssl-decrypt exclude cache
> memory Show ssl-decrypt memory usage
> notify-cache Show ssl-decrypt notify cache
> session-cache Show ssl-decrypt session cache
> setting Show ssl-decrypt settings
- debug dataplane reset ssl-decrypt ?
> certificate-cache Clear all ssl-decrypt certificate cache in dataplane
> certificate-status Clear all ssl-decrypt certificate CRL status cached in dataplane
> exclude-cache Clear all exclude cache in dataplane
> host-certificate-cache Clear all SSL certificates stored in host
> notify-cache Clear all ssl-decrypt notify-user cache in dataplane
> session-cache Clear all ssl-decrypt session cache in dataplane
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
