SSL decryption troubleshooting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL decryption troubleshooting

L4 Transporter

I am trying to get SSL Forward Proxy working properly, generally it seems to be OK but I have a site I have tested

 

is for the bank hsbc

 

that gives an error..

 

Certificate Error

There is an issue with the SSL certificate of the server you are trying to contact.

Certificate Name:

IP: 91.214.6.22

Category: not-resolved

Issuer:

Status: unknown

Reason:

 

 

 

I have read this 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC

 

Coincidentally, the site in the help link actualy uses the exact same certificate as HSBC.

 

I have imported both certificates in the chain 

"DigiCert High Assurance EV Root"
"DigiCert SHA2 Extended Validation Server CA"

 

Tried setting root and SHA2 as CA... 

 

But the error persists for both the site I need and the site from the help document.

 

My forward Proxy is presently configured  like.... ( I had to disable "Check Timeout" as that failed also )

 

[/] Block sessions with expired certificates

[/] Block sessions with untrusted issuers

[/] Block sessions with unknown certificate status

[ ] Block sessions on certificate status check timeout

[ ]Restrict certificate extensions


Cheers

 

Rob

7 REPLIES 7

L7 Applicator

Hey there Rob @RobinClayton ,

I am sorry that you are having issues trying to decrypt that one site.. but I will state that in the normal setup for SSL Decryption, we normally exclude Banking and Medical sites to reserve privacy. 

 

I assume that other sites work without issue?

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

No 

 

Anything on Digicert or Comodo is an issue. [at least]

 

I have to unset "Untrusted Issuer" & "Unknown Status" , and that's in addition to the "Check Timeout" which fails for everything.

Hello,

Are you having the PAN perform certificate checks? And is the PAN allowing that checked traffic?

 

Also I agree with Jdelio, its best to exclude the following to avoid issues with compliance and privacy:

banking

medical

military

government

 

Regards,

The unit is configured to send both CRL and OSCP but I can't find where I would see this traffic. Service router does not include an option for OSCP only CRL...

 

This is on an 8.0 FW, but the certs are there and look to have the same time stamp.

 

Rob

Hello,

If the service routes are set to default, they would source from the management interface. So filter traffic from it and appropriate applications to see. Also dont decrypt this traffic :).

 

Regards,

It was set on the MGMT interface, but I did not see any CRL/OSCP app-id traffic.

 

I now have it configured for CRL Service on the external interface, but that made no difference. 

@RobinClayton,

Keep in mind that depending on your actual firewall configuration, you may not be recording the logs for this traffic. You'll want to ensure that you have your security rulebase and routing setup so that the firewall sees and logs this traffic. Alternatively, since you are now sourcing the traffic to from your untrust interface you can start a PCAP and look for the traffic. 

  • 5796 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!