SSL Decryption - log for SSL certificate errors?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption - log for SSL certificate errors?

L2 Linker

Hi all,

 

We are using PANOS URL Filtering and SSL Decryption, and we reject a variety of SSL certificate problems such as expired certificates, SHA-1 signing, etc.  When one of our users hits one of these web sites, they get a "block" page.  This invariably leads them to submit a request to have the site unblocked, without any additional information. 

 

We have been unable to find any log on the Monitor tab of the firewall console that will give us the reason why the certificate was rejected.  At most we get traffic logs with "aged-out."  Is this information being collected by PANOS?  Is it available anywhere in the console?  How do other people diagnose these blocks?

 

Thanks,

- Steve

1 accepted solution

Accepted Solutions

L3 Networker

Try this:

show system setting ssl-decrypt exclude-cache

 

or

 

show counter global filter delta yes | match ssl_sess_id_resume_drop

 

 

Here is a link with even more detail which may be helpful, though not as helpful as just adding this in the traffic log detail, which unfortuneately is not currently a supported feature. Reach out to you sales engineer and request this be added as a feature in a future release.

 

https://live.paloaltonetworks.com/t5/Management-Articles/SSL-Decryption-Not-Working-due-to-Unsupport...

 

View solution in original post

3 REPLIES 3

L3 Networker

Try this:

show system setting ssl-decrypt exclude-cache

 

or

 

show counter global filter delta yes | match ssl_sess_id_resume_drop

 

 

Here is a link with even more detail which may be helpful, though not as helpful as just adding this in the traffic log detail, which unfortuneately is not currently a supported feature. Reach out to you sales engineer and request this be added as a feature in a future release.

 

https://live.paloaltonetworks.com/t5/Management-Articles/SSL-Decryption-Not-Working-due-to-Unsupport...

 

L6 Presenter

Palo does provide a response page for SOME cert issues:

SSL_Error.JPG

 

 

Specifically for things like an expired certificate I've seen this page come up.  However for things like certificate negotiation issues I've only ever seen a "Page Can't Be Displayed" browser page.  The only way I've found to diagnose the issue is to perform a packet capture.  Doing this you can see a "Fatal Certificate Error" in the SSL/TLS negotiation.

 

When things like the later occur it's very frustating because for one users tend to think there's a problem with a distant end...and/or when the ticket comes to a less experienced technician they don't even think about certificate issues and performing such in-depth analysis.

L2 Linker

Hi,

 

Thanks to both of you for the suggestions.  I did reach out to our sales engineer to request the log as a feature.  A custom response page is probably going to be our best bet.

 

Thanks,

- Steve

 

  • 1 accepted solution
  • 7054 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!