SSL Inbound decryption woes

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Inbound decryption woes

L3 Networker

Hi there,

we just configured our first SSL Inbound decryption, but we have some trouble and need help troubleshooting it.

Very simple setup:

Webserver in DMZ zone

Firewall policy: from:untrust to:dmz; src:any; dst:webserver; app:ssl,web-browsing; service:service-http(s); action:allow

Decryption policy: from:untrust to:dmz; src:any; dst:webserver; action:decrypt

The webserver's certifictate and key have been imported to the firewall.

Accessing the webserver from an external PC: Traffic gets decrypted perfectly.

Accessing the webserver from an iPhone and from and Android device: Traffic is *not* being decrypted.

In all cases the source IPs were completely random and are not subject to any firewall rule. This is reproducible and I tried to find out why it would decrypt in one case but not in another.

Any ideas? Is there a way I can troubleshoot this other than looking at the traffic logs, which don't contain any helpful information?



Interesting. Thanks Mikand. Let's see what PAN support has to say about this.

MY PAN support case number: 00146841

cryptochrome - our case number is 00146826

My colleague titled it "SSL Decrypt does not work from iOS" because that's essentially what the impact of not supporting TLS 1.2 is apparently.

- it also affects Android's chrome browser, which is also based on WebKit, just like mobile Safari. Would be interesting to find out whether it also applies to desktop Safari.

Support is asking for a freaking GoToMeeting session, which is honestly a waste of time at this point. I'm pushing back on them asking for a GTM session.

Right right, it's looking like the root is WebKit's negotiation of TLS 1.2 is the root, we're just trying to roll out iPads and it's the platform that is affecting us most right now.

Regarding Chrome you can try various startup command lines to see which workaround might work:

Such as --ssl-version-min and/or --ssl-version-max and such (press ctrl+f and search for lines containing "tls" 🙂

The above is of course broken approach if you want your PA to protect your servers connected to internet but might help the support to narrow down if the error is caused by that PANOS obviously still doesnt have support for TLS1.2 or not.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!