Hi paloalto community,
I tested my new ssl decryption rules against the badssl dashboard ( https://badssl.com/dashboard/ ).
So far it looks good. Unfortunately the check for sha1-intermediate doesn’t pass. Our PA-850 (Firmware 9.0.5) does create a secure connection to this site for the client ( https://sha1-intermediate.badssl.com/ ), even I configured to not support SHA1.
Here is my configuration:
Is there something I forgot to configure?
Thanks and best regards,
This is odd that it would be happening with PAN-OS 9.0.5. As anything like that should have been cleared up.
There was a prior discussion talking about similar things:
But there is no real answer as to why..
What browsers? does it matter if you use Edge, Firefox or Chrome?
At least this website is configured not correctly. The webserver does not send the intemediate certificate in the TLS handshake. Without this intermediate certificate the firewall cannot verify if this certificate is trusted / it is not able to check the certificate path.
You have not 3 possibilities with your current configuration:
And yes, because paloalto firewalls don't have the intermediate certs locally the "problem" you see will be on all palo fws.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!