This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Decryption+ALPN not stripped: yandex.com not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

SSL Decryption+ALPN not stripped: yandex.com not working

Go to solution
ShaiW
L4 Transporter

‎01-03-2022 10:56 PM

Hi

 

I have a customer that wrote to me yesterday that if they remove the checkbox for Strip ALPN while having SSL decryption enabled, a few web sites such as yandex.com stop working.

I was able to reproduce this with my PA-3220 and PANOS 9.1 and also on my VM with PANOS 10, the result is ERR_HTTP2_PROTOCOL_ERROR in Edge browser. There do not appear to be any decrypt-error messages and in the traffic log it appears like a normal decrypted session.

I dug through the PCAP file, can see the chosen cipher and verified that it is indeed listed as available on firewall. Also counters do not show drops.

 

Does anyone have an idea what could cause this? Right now the customer has a decryption policy with Strip-ALPN enabled for these few sites.

 

Thanks,

Shai

1 accepted solution

Accepted Solutions

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to ShaiW

‎01-04-2022 01:57 PM

Hi @ShaiW 

It seems you have figure it out by yourself.

Strip-ALPN will basically dowgrade HTTP/2 to HTTP/1.1 and if I understand you correctly your decryption profile is configured with max version TLS 1.2. It sounds like removing the "strip ALPN" will leave HTTP/2, but it is failing because your decryption does not support TLS 1.3.

 

It is better to configure your profile to use max version with "max" and set the min version to specific version

Astardzhiev_1-1641333464832.png

This will make sure that when new TLS version is supported by the PanOS, you don't have to update your configuration (like in this case)

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
ShaiW
L4 Transporter

‎01-04-2022 07:04 AM

EDIT: This web site starts working if I change max version to TLS 1.3 (under decryption profile) and stops working when I set it at TLS 1.2. No other changes are made.

This feels like a specific web-site issue more than a firewall one.

 

0 Likes Likes

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to ShaiW

‎01-04-2022 01:57 PM

Hi @ShaiW 

It seems you have figure it out by yourself.

Strip-ALPN will basically dowgrade HTTP/2 to HTTP/1.1 and if I understand you correctly your decryption profile is configured with max version TLS 1.2. It sounds like removing the "strip ALPN" will leave HTTP/2, but it is failing because your decryption does not support TLS 1.3.

 

It is better to configure your profile to use max version with "max" and set the min version to specific version

Astardzhiev_1-1641333464832.png

This will make sure that when new TLS version is supported by the PanOS, you don't have to update your configuration (like in this case)

0 Likes Likes

Go to solution
ShaiW
L4 Transporter
In response to aleksandar.astardzhiev

‎01-04-2022 11:36 PM

Hi

 

The customer is still on PAN-OS 9 which does not support TLS 1.3 and all other web sites work fine. Its just yandex.com that does not.

I am pretty sure it is not firewall related, more like a web-site issue.

 

Shai

0 Likes Likes

Go to solution
Trustnet-ET
L1 Bithead
In response to aleksandar.astardzhiev

‎08-15-2022 12:23 AM

Hi,

Use with caution- at 3430 pair the workaround Min=TLS1.2 and Max=Max crashed firewall. Used PanOS 10.2.1

For the issue with ERR_HTTP2_PROTOCOL_ERROR the config change fixed it but just for a minute between commiting the change and till the FW crashed into maint mode.

 

0 Likes Likes
  • 1 accepted solution
  • 4220 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks