SSL decryption troubleshooting

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL decryption troubleshooting

L4 Transporter

I am trying to get SSL Forward Proxy working properly, generally it seems to be OK but I have a site I have tested


is for the bank hsbc


that gives an error..


Certificate Error

There is an issue with the SSL certificate of the server you are trying to contact.

Certificate Name:


Category: not-resolved


Status: unknown





I have read this


Coincidentally, the site in the help link actualy uses the exact same certificate as HSBC.


I have imported both certificates in the chain 

"DigiCert High Assurance EV Root"
"DigiCert SHA2 Extended Validation Server CA"


Tried setting root and SHA2 as CA... 


But the error persists for both the site I need and the site from the help document.


My forward Proxy is presently configured  like.... ( I had to disable "Check Timeout" as that failed also )


[/] Block sessions with expired certificates

[/] Block sessions with untrusted issuers

[/] Block sessions with unknown certificate status

[ ] Block sessions on certificate status check timeout

[ ]Restrict certificate extensions





L7 Applicator

Hey there Rob @RobinClayton ,

I am sorry that you are having issues trying to decrypt that one site.. but I will state that in the normal setup for SSL Decryption, we normally exclude Banking and Medical sites to reserve privacy. 


I assume that other sites work without issue?

LIVEcommunity team member
Stay Secure,
Don't forget to Like items if a post is helpful to you!



Anything on Digicert or Comodo is an issue. [at least]


I have to unset "Untrusted Issuer" & "Unknown Status" , and that's in addition to the "Check Timeout" which fails for everything.


Are you having the PAN perform certificate checks? And is the PAN allowing that checked traffic?


Also I agree with Jdelio, its best to exclude the following to avoid issues with compliance and privacy:







The unit is configured to send both CRL and OSCP but I can't find where I would see this traffic. Service router does not include an option for OSCP only CRL...


This is on an 8.0 FW, but the certs are there and look to have the same time stamp.




If the service routes are set to default, they would source from the management interface. So filter traffic from it and appropriate applications to see. Also dont decrypt this traffic :).



It was set on the MGMT interface, but I did not see any CRL/OSCP app-id traffic.


I now have it configured for CRL Service on the external interface, but that made no difference. 


Keep in mind that depending on your actual firewall configuration, you may not be recording the logs for this traffic. You'll want to ensure that you have your security rulebase and routing setup so that the firewall sees and logs this traffic. Alternatively, since you are now sourcing the traffic to from your untrust interface you can start a PCAP and look for the traffic. 

  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!