SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption

L2 Linker

Hello,

 

I have a PA-VM running on a ESX server.

I want to set up SSL Decryption on it using a SUBCA certificate chain signed by a PKI (windows server).

I check boxes "Forward to trust/untrusted certifcate"

I export the SUBCA to store it on a client machine (to avoid warning message)

The network is OK

The policy is Any any permit

The SSL decryption policy is set up to decrypt everything

 

The main issue is the Following :

On the client machine, I not allowed to reach any website using HTTPS, the brower is telling me that the connection has been reset... whatever the browser (chrome, IE etc)

 

I can't find anything to solve my issue...

 

Thanks in advance

Regards

19 REPLIES 19

You need to do a packet capture on the client system and see what is going on.  With that you will likely be able to find out why the client is terminating the session.

 

You may also want to try Chrome on your Ubuntu machine, or another operating system all together.  

@SERMA-NES,

I agree with @it-thomas, the client is clearly resetting the traffic. 

 

What we know (or think we know)

- Traffic is being reset by the client, so it's not specifically a decryption issue. 

- The client believes the cert is not valid, which would be common for self-signed certs as you need to import the cert which you have.

- The issue persists even if you move off of 8.0

 

I would try this on Chrome and see where that gets you, I would also try this on a Windows machine with Internet Explorer or Edge as they are less prone to trigger on security issues. 

 

@BPry

"try this on a Windows machine with Internet Explorer or Edge as they are less prone to trigger on security issues. "

^

That statement is funny because it is true.

 

 

Remember for certs it checks 3 things, if any of those things fail it doesnt play well:

-Who you are

-- i.e. does the cert match the website, if it doesnt it will fail

-When you are good

-- outside of the valid cert period it will fail

-Who says I can trust you

-- If your root CA is not trusted, it will not trust anything below it in the chain.  That being said, make sure that you import the Root CA into the correct spot in your browser or it will fail.

 

 

 

It is possible that your TCP and/or SSL handshakes are getting all buggered up due to issues with your cer/decrypt.  In turn your client is killing the connection since it doesn't trust it.  The packet capture will tell you all of that information and help you pin down the failure point.

 

This also hasnt been asked yet, is HTTP working correctly?

 

http://www.bing.com

vs

https://www.bing.com

Try taking a simultaneous pcap on the ubuntu box and the firewall and compare them if the client generates a rst packet

Move over you can take the global counters during the test 

 

In the command line run show counter global filter packet-filter yes delta

Just make sure your  filters are setup to include only the source machine from where you are testing.

 

If you can please share the output of counters 

Hello,

 

Thanks everybody for your implication.

 

I solved my issue several weeks ago : Since PANOS 7, to make SSL decryption works, we have to configure "Any" on the service column and not "application default" on our policy

 

It works fine now !

  • 7334 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!