01-27-2020 02:05 AM
I am trying to get SSL Forward Proxy working properly, generally it seems to be OK but I have a site I have tested
is for the bank hsbc
that gives an error..
Certificate Error
There is an issue with the SSL certificate of the server you are trying to contact.
Certificate Name:
IP: 91.214.6.22
Category: not-resolved
Issuer:
Status: unknown
Reason:
I have read this
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC
Coincidentally, the site in the help link actualy uses the exact same certificate as HSBC.
I have imported both certificates in the chain
"DigiCert High Assurance EV Root"
"DigiCert SHA2 Extended Validation Server CA"
Tried setting root and SHA2 as CA...
But the error persists for both the site I need and the site from the help document.
My forward Proxy is presently configured like.... ( I had to disable "Check Timeout" as that failed also )
[/] Block sessions with expired certificates
[/] Block sessions with untrusted issuers
[/] Block sessions with unknown certificate status
[ ] Block sessions on certificate status check timeout
[ ]Restrict certificate extensions
Cheers
Rob
01-28-2020 04:11 PM
Hey there Rob @RobinClayton ,
I am sorry that you are having issues trying to decrypt that one site.. but I will state that in the normal setup for SSL Decryption, we normally exclude Banking and Medical sites to reserve privacy.
I assume that other sites work without issue?
01-29-2020 12:34 AM
No
Anything on Digicert or Comodo is an issue. [at least]
I have to unset "Untrusted Issuer" & "Unknown Status" , and that's in addition to the "Check Timeout" which fails for everything.
01-29-2020 08:25 AM - edited 01-29-2020 08:26 AM
Hello,
Are you having the PAN perform certificate checks? And is the PAN allowing that checked traffic?
Also I agree with Jdelio, its best to exclude the following to avoid issues with compliance and privacy:
banking
medical
military
government
Regards,
01-29-2020 08:38 AM
The unit is configured to send both CRL and OSCP but I can't find where I would see this traffic. Service router does not include an option for OSCP only CRL...
This is on an 8.0 FW, but the certs are there and look to have the same time stamp.
Rob
01-29-2020 08:40 AM
Hello,
If the service routes are set to default, they would source from the management interface. So filter traffic from it and appropriate applications to see. Also dont decrypt this traffic :).
Regards,
01-29-2020 08:48 AM
It was set on the MGMT interface, but I did not see any CRL/OSCP app-id traffic.
I now have it configured for CRL Service on the external interface, but that made no difference.
01-29-2020 02:29 PM
Keep in mind that depending on your actual firewall configuration, you may not be recording the logs for this traffic. You'll want to ensure that you have your security rulebase and routing setup so that the firewall sees and logs this traffic. Alternatively, since you are now sourcing the traffic to from your untrust interface you can start a PCAP and look for the traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
