02-09-2021 07:28 AM
hello, we are setting up SSL Inspection for inbound traffic but it is failing when clients try to access, we are getting unsupported protocol errors. ssl labs shows the following issues around handshaking.
with SSL Inspection off we do not see these errors
can anyone advise what we can do to address this? we are running PAN OS 9.0
Thanks
Ryan
02-10-2021 02:54 PM
Mismatched or unsupported ciphers are the cause of 99.9% of these issues. Verify that all of the ciphers used by the server are actually supported by the firewall and that only supported ciphers are being utilized. If you have ciphers checked on your decryption profile that the server doesn't support, or ciphers on the server that the firewall doesn't support, it's not able to proxy that connection properly.
02-12-2021 02:52 AM
Thanks for the reply.
looks like issue is to do with EC x25519 being used by our server. i see this is supported on PAN OS 10 with TLS1.3 and is NIST approved.
Do you know if support for this will be added to PAN OS 9.0? i am reluctant to ask our server team to disable x25519 across our server estate or move up to 10.0 at this current time.
Thanks
Ryan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
