SSL decryption and Http redirection

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL decryption and Http redirection

L3 Networker


I am testing SSL decryption and it seems to work fine  except when Http redirection is involved. E.g. when you try to connect to Https:// , google redirects you to and it gives me a certificate error because of the hostname in the cert does ( in this case)not match with the hostname that you are connecting to ( originally).  Is there some way of working around this ? I am using PANOS 4.0.4.




L0 Member

Hi Sunil did you ever find out the answer to your question?

I'm running into the same issue on a project I'm working on due to a coworkers temporary incapacitation. If it go to I will get an error saying The security certificate presented by this website was issued for a different website’s address. If I view the certificate I see that by my PA-2020(which is a trusted root) however the certificate has been issued to hence the error because the browser is expecting to see a certificate for Figured I'd check the forums before opening a case



did you solved this issue?

we are running 4.1.6 and have simmilar poblems with gmail when it is redirected to the https url

SSL decryption has been running fine for most website but it's true is one of the few that is creating troubles.

can you tell me the reason ?

thank you

My opinion is the following : is hosted on same server than , to achieve that Google didn't create (for once) a multi SAN SSL certificate but relies on TLSv1 feature that allows Client and Server to negociate which certificate to use.

If client asks for, Server will present certificate, if Client asks during TLS negociation then Server will present certificate.

As PA seems to fails explicitly on those I have several theories:

  • PA doesn't support TLS certificate negociation when you ask it to decrypt so it will fallback to default presented certificate:
  • PA caches which certificate is associated to an IP (for performance benefits) and will reuse it next time you connect, whatever you are trying to negociate (until cache expires)
  • A mix of the above theories.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!