07-08-2013 12:10 PM
we just configured our first SSL Inbound decryption, but we have some trouble and need help troubleshooting it.
Very simple setup:
Webserver in DMZ zone
Firewall policy: from:untrust to:dmz; src:any; dst:webserver; app:ssl,web-browsing; service:service-http(s); action:allow
Decryption policy: from:untrust to:dmz; src:any; dst:webserver; action:decrypt
The webserver's certifictate and key have been imported to the firewall.
Accessing the webserver from an external PC: Traffic gets decrypted perfectly.
Accessing the webserver from an iPhone and from and Android device: Traffic is *not* being decrypted.
In all cases the source IPs were completely random and are not subject to any firewall rule. This is reproducible and I tried to find out why it would decrypt in one case but not in another.
Any ideas? Is there a way I can troubleshoot this other than looking at the traffic logs, which don't contain any helpful information?
07-09-2013 12:14 PM
Interesting. Thanks Mikand. Let's see what PAN support has to say about this.
07-09-2013 12:27 PM
MY PAN support case number: 00146841
07-09-2013 01:26 PM
cryptochrome - our case number is 00146826
My colleague titled it "SSL Decrypt does not work from iOS" because that's essentially what the impact of not supporting TLS 1.2 is apparently.
07-09-2013 11:17 PM
07-12-2013 06:47 AM
Support is asking for a freaking GoToMeeting session, which is honestly a waste of time at this point. I'm pushing back on them asking for a GTM session.
07-12-2013 06:48 AM
Right right, it's looking like the root is WebKit's negotiation of TLS 1.2 is the root, we're just trying to roll out iPads and it's the platform that is affecting us most right now.
07-12-2013 12:31 PM
Regarding Chrome you can try various startup command lines to see which workaround might work:
Such as --ssl-version-min and/or --ssl-version-max and such (press ctrl+f and search for lines containing "tls" 🙂
The above is of course broken approach if you want your PA to protect your servers connected to internet but might help the support to narrow down if the error is caused by that PANOS obviously still doesnt have support for TLS1.2 or not.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!