- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-26-2015 01:36 AM
Hi,
I am not able to get to https://platinum.netnames.com/ with SSL decryption on, on PAN 7.0.1 / PA-3020 (IE11 / FF40 == TLS failure). Also, speed seems capped to 3Mbit/s with some CDNs (S3 AWS). Am I missing something?
thanks.
08-26-2015 02:20 AM - edited 08-26-2015 02:34 AM
The website "https://platinum.netnames.com" is using unsupported cipher suite (TLS_ECDHE_RSA is not supported.) that's why you are having issues while opening that website. Refer to following documnet
08-26-2015 02:25 AM
Hi,
This site only supporty ciphersuites with forward secrecy (ciphers with ECDHE or DHE). Those ciphers are not supported by the ssl decryption feature of paloalto.
These are the supported ciphers of this website:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
source: https://www.ssllabs.com/ssltest/analyze.html?d=platinum.netnames.com
Hope this helps.
Regards,
Remo
08-26-2015 02:28 AM
That's what I suspected, however I don't understand why can't it be handled in a graceful manner (aka simply not decrypting) ? It is not very convenient to whitelist on incident (neither it is practical). It would be nice if PaloAlto could maintain a category of such sites on their own so we just have to exclude it from decryption and everybody benefits from it.
Is anyone using SSL Decrypt in the field with a lot of URL categories?
thanks for your input.
08-26-2015 02:36 AM - edited 08-26-2015 02:37 AM
Some server uses non standard cipher suites that why PA cannot decrypt them. However PAOS 7.0 can decrypt more traffic than previous versions.
Regards,
Pankaj Kumar
08-26-2015 06:12 AM - edited 08-26-2015 06:13 AM
I totally feel your pain and agree...I've actually got a case open right now on this very issue. The amount of TLS1.2 sites that fail to load because of unsupported cipher suites the palo doesn't support is kinda crazy.
Then compounding the issue is the "Page can't be disaplayed" error users get in IE. At least Chrome give users a "Connection Closed Error" which does indicate something actually happened.
On your decryption profile you should be able to allow connection to SSL sites with "Unsupported ciphers" which I've actually got set to allow, but the 5060 still isn't allowing the connection. So TAC is investigating.
08-26-2015 07:01 AM
FWIW I am the only user of the solution (demo unit), and I am thinking of turning off SSL decryption given the number of issues it causes. I can't imagine the number of tickets I would get with 1K+ users on it.
How is TAC dealing with these issues from your experience?
Thanks!
08-26-2015 07:51 AM
Oddly enough, it's still worth it.
Not all sites run TLS1.2. There have been plenty of cases where decrypted content has enabled the threat service to find malware.
There are also a fair amount of sites running TLS1.2 that the device does support FB, Youtube, Webmail, as well as other governmental websites.
08-26-2015 07:54 AM
As far as TAC support on this TLS issue. I've only had the case open for about 12 hours. We'll see how things progress.
08-27-2015 09:48 AM
I've got about 1k users and I am decrypting all traffic. Currently running 7.0.1 on a pair of 3050s. 7.x has definitely improved the situation as they fixed a bug that prevented many pages from loading even with the unsupported cipher bypass enabled. You still run into situations like the one you described, but not nearly as many as before. I generally have 2-3 unblock requests per week so it is managable for now. I expect that number to go up in the future as more sites begin using cipher suites that the Palos can't handle. I'm hoping Palo is putting time into supporting more suites as decryption is one of the foundations of their app-id.
08-31-2015 10:35 AM
Still don't have an answer from TAC.
09-01-2015 01:22 AM
Slightly OT, what kind of traffic do you manage to require 3050s instead of 3020s for 1K users?
09-08-2015 08:56 AM
Bug ID 83524 -
Has been documented for sites with unsupported cipher suites still not being accessible when configured to not block unsupported cipher suites.
The current work around is to bypass URLs as they come. As of this date 8 Sep 15, this bug still isn't resolved in 7.0.2, though operability with other ciphers might be better the bug isn't officially resolved in 7.0.2.
10-13-2015 11:56 PM
I asked a Palo Alto representative about this a few months back, and support for TLS_ECDHE_RSA and TLS_DHE_RSA was planned to be implemented sometime in the first half of 2016.
Could be coming in PANOS 8?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!