SSL decryption( Some traffic is not decrypted)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL decryption( Some traffic is not decrypted)

L4 Transporter

Dear All,

 

I have applied SSL forward decryption in my Paloalto, then i observed some traffic are decrypted and some traffic not decrypt.

Example:- I have applied the decryption in social-networking (Facebook traffic is decrypted but Snapchat traffic is not decrypted,however, both are falling under the social-networking category.)

 

Why it's strange behaviour.

24 REPLIES 24

@BPry @Remo 

 

hello,

Now the problem is chrome is accepting the certificate, but I am not able some websites in the chrome browser.

Ex:- I have applied decryption only for youtube and NetFlix. but when I open Netflix it is working fine below is the screenshot for Netflix:-

 

Jafar_Hussain_0-1581521919783.png

But When I open youtube in chrome, getting the error. below is the screenshot.

 

Jafar_Hussain_1-1581522020611.png

 

I have changed certificates already with SHA 512 value but still issue persists.

Could you please help me with this.

 

@BPry @Remo  

Could you please update on this,

@Jafar_Hussain 

Neither @BPry nor me @BPry  are working for Paloaltonetworks. We use our free time to try to help here in the community. So if you cannot wait more than 3 hours (as you asked again for an update here 3 hours after your post with the cert warnings) you should contact official paloalto support.

 

Anyway, which certificate did you change to SHA512? Was it really the CA cert used for decryption? What key size did you configure for the dynamically created certificates? Could you show a screenshot of the cert?

@Remo 

Sorry for this.

 

I have configured a new CA certificate with keysize- 2048 and sha 512.

 

 

@Jafar_Hussain 

and you did configure this new ca cert as "Forward Trust Certificate"?

@Remo 

Yes, I configured as a forward trust cert.

could you share the dynamically created cert (via export from the browser)?

did you clear the local cert cache? maybe the cert you see is still the one created with the old CA cert.

@vsys

I have performed this task:-

 

1 – Clear the SSL state from the system.

Windows+r > inetcpl.cpl>content>clear SSL state>OK

2- Cleared browsing data.

 

Give me some time I will share the certificate also.

I was talking about the cert cache on the firewall

@Remo 

I have cleared the cache only from the system.

 

How, I clear from the firewall. it will impact of running operation?

  • 10514 Views
  • 24 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!