This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
SSL Inbound decryption woes
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: SSL Inbound decryption woes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
SSL Inbound decryption woes
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-08-2013 12:10 PM
Hi there,
we just configured our first SSL Inbound decryption, but we have some trouble and need help troubleshooting it.
Very simple setup:
Webserver in DMZ zone
Firewall policy: from:untrust to:dmz; src:any; dst:webserver; app:ssl,web-browsing; service:service-http(s); action:allow
Decryption policy: from:untrust to:dmz; src:any; dst:webserver; action:decrypt
The webserver's certifictate and key have been imported to the firewall.
Accessing the webserver from an external PC: Traffic gets decrypted perfectly.
Accessing the webserver from an iPhone and from and Android device: Traffic is *not* being decrypted.
In all cases the source IPs were completely random and are not subject to any firewall rule. This is reproducible and I tried to find out why it would decrypt in one case but not in another.
Any ideas? Is there a way I can troubleshoot this other than looking at the traffic logs, which don't contain any helpful information?
Thanks
Labels:
- Labels:
-
Set Up
-
Troubleshooting
21 REPLIES 21
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-08-2013 12:37 PM
Can you try different browsers on the mobile devices.This could be caused by Unsupported SSL cipher suite (algo) selected by Client.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-08-2013 01:19 PM
How can I see that on the firewall? Where are incompatibilities being logged?
Will try...
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-08-2013 04:12 PM
If the SSL version or cipher suite is not supported for decryption you should see a related entry in O/P of following command :
>show system setting ssl-decrypt exclude-cache
To reset this cache :
> debug dataplane reset ssl-decrypt exclude-cache
Ref :
Following Global counters could be helpful in troubleshoting :
>show counter global | match proxy - PAN-OS 3.0.0 and 3.1.0
proxy_process 1205 info proxy pktproc Number of flows go through proxy
proxy_no_process 453 info proxy pktproc Number of flows donot go through proxy
proxy_wqe_held 253 info proxy resource Number of wqe held by proxy for notify answer
proxy_excluded 78 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion
proxy_client_hello_failed 4 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed
proxy_url_request_pkt_drop 24 info proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy
proxy_url_category_unknown 23435 info proxy pktproc Number of sessions checked by proxy with unknown url category
url_session_not_in_ssl_wait 4 error url system The session is not waiting for url in ssl proxy
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-08-2013 11:25 PM
Hi Nadir,
thanks for the help. In fact, when I tried mobile Firefox the session was decrypted just fine. Using Google Chrome (Android) or mobile Safari (iPhone) the session would not get decrypted. Looks like an issue with Webkit based browsers. HOWEVER:
There is nothing related in the certificate list you get when issuing the 'show system setting ssl-decrypt exclude-cache' command. The webserver's certificate does not show up in that list.
What I also don't understand: If there is a problem with ciphers, why can I connect to the webserver using iPhone/Android just fine? The browser seems to be encrypting the session without a problem. It's the firewall that does not decrypt.
Related Content
- reverse proxy key 'abc.com' doesn't match certificate issued to 'abc.com' in General Topics
- User insertion fail with keep alive header enable in Next-Generation Firewall Discussions
- Vulnerability Protection profile alters APP-ID behavior in General Topics
- AWS and Inbound SSL Inspection in VM-Series in the Public Cloud
- ssl-inbound inspection problem in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks