SSL Inbound decryption woes

cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Inbound decryption woes

L3 Networker

Hi there,

we just configured our first SSL Inbound decryption, but we have some trouble and need help troubleshooting it.

Very simple setup:

Webserver in DMZ zone

Firewall policy: from:untrust to:dmz; src:any; dst:webserver; app:ssl,web-browsing; service:service-http(s); action:allow

Decryption policy: from:untrust to:dmz; src:any; dst:webserver; action:decrypt

The webserver's certifictate and key have been imported to the firewall.

Accessing the webserver from an external PC: Traffic gets decrypted perfectly.

Accessing the webserver from an iPhone and from and Android device: Traffic is *not* being decrypted.

In all cases the source IPs were completely random and are not subject to any firewall rule. This is reproducible and I tried to find out why it would decrypt in one case but not in another.

Any ideas? Is there a way I can troubleshoot this other than looking at the traffic logs, which don't contain any helpful information?

Thanks

21 REPLIES 21

I guess it's time to open a case with PAN support.

L4 Transporter

I've got two pcaps open right now, and it looks like the difference between the two of them is the TLS version that was negotiated.

The pcap I captured of a session where decrypt seems to work has TLSv1. The pcap of the session where decrypt did NOT appear to work negotiated TLSv1.2.

Can somebody else confirm what I'm seeing?

We're opening a case too.. we can reference your case (and vice-versa) if you'd like, maybe it'll get some more traction that way.

Thanks. Will do and post the case number here.

https://live.paloaltonetworks.com/message/17280#17280

I wonder what happend to TLS1.2 support?

Interesting. Thanks Mikand. Let's see what PAN support has to say about this.

MY PAN support case number: 00146841

cryptochrome - our case number is 00146826

My colleague titled it "SSL Decrypt does not work from iOS" because that's essentially what the impact of not supporting TLS 1.2 is apparently.

- it also affects Android's chrome browser, which is also based on WebKit, just like mobile Safari. Would be interesting to find out whether it also applies to desktop Safari.

Support is asking for a freaking GoToMeeting session, which is honestly a waste of time at this point. I'm pushing back on them asking for a GTM session.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!