07-08-2013 12:10 PM
we just configured our first SSL Inbound decryption, but we have some trouble and need help troubleshooting it.
Very simple setup:
Webserver in DMZ zone
Firewall policy: from:untrust to:dmz; src:any; dst:webserver; app:ssl,web-browsing; service:service-http(s); action:allow
Decryption policy: from:untrust to:dmz; src:any; dst:webserver; action:decrypt
The webserver's certifictate and key have been imported to the firewall.
Accessing the webserver from an external PC: Traffic gets decrypted perfectly.
Accessing the webserver from an iPhone and from and Android device: Traffic is *not* being decrypted.
In all cases the source IPs were completely random and are not subject to any firewall rule. This is reproducible and I tried to find out why it would decrypt in one case but not in another.
Any ideas? Is there a way I can troubleshoot this other than looking at the traffic logs, which don't contain any helpful information?
07-09-2013 12:14 PM
Interesting. Thanks Mikand. Let's see what PAN support has to say about this.
07-09-2013 12:27 PM
MY PAN support case number: 00146841
07-09-2013 01:26 PM
cryptochrome - our case number is 00146826
My colleague titled it "SSL Decrypt does not work from iOS" because that's essentially what the impact of not supporting TLS 1.2 is apparently.
07-09-2013 11:17 PM
07-12-2013 06:47 AM
Support is asking for a freaking GoToMeeting session, which is honestly a waste of time at this point. I'm pushing back on them asking for a GTM session.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!