SSL Decryption bug in PAN-OS 9.1.14

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

SSL Decryption bug in PAN-OS 9.1.14

L2 Linker

I recently upgraded from panos 9.1.13-h3 to 9.1.14 then SSL decryption stopped working, in the traffic monitor there wasn't any decryption error but when i excluded a PC the internet worked

and it seams other people are also having the same issue (Reddit ), but its not in the known issue list until now

so i had to revert to the previous version and its working now fine


Accepted Solutions

L2 Linker

It looks like that a workaround has been published or am I wrong?


The firewall drops all decrypted outbound (SSL Forward Proxy) HTTP/2 traffic after you upgrade to PAN-OS 9.1.14. Dropping this traffic prevents users from loading HTTP/2 web pages and accessing websites that use HTTP/2.
Workaround: On the SSL Forward Proxy tab in the Decryption profile attached to the Decryption Policy rule that controls the HTTP/2 traffic, select Strip ALPN. When you Strip ALPN, the firewall negotiates HTTP/1.1 instead of HTTP/2.
It seems working in my environment.

View solution in original post


L5 Sessionator

I don't know if this is your exact issue, but it seems as if we are tracking something internally. PAN-194219, the software packet buffers are depleting erroneously during HTTP/2 inspection only post 9.1.14 upgrade, and subsequently not decrypting.  


I am now following the issue and will post updates / workarounds. 

Help the community! Add tags & mark solutions please.

Ok thank you, will not update until the issue is resolved

L0 Member

Same here. Rolling back now....I wonder why there is not any statement by PA. Or is it and I didn't find it? 

L5 Sessionator

The issue is escalated to the senior support queue, they've successfully recreated it in a lab and are now identifying root cause. 

Help the community! Add tags & mark solutions please.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!