09-04-2022 01:08 PM - edited 09-04-2022 01:19 PM
Hello everyone.
i'm configuring decryption with ssl-inbound inspection towards a nas synology via DNAT port-forwarding but i'm having trouble working with the following error that gives me the browser "PR_END_OF_FILE_ERROR". DNAT without ssl-inbound inspection works fine without certificate errors if I try to reach the web server from outside.
I have imported the certificate and the priv-key of the synology correctly on the fw and applied to the decryption policy, but I doubt that the zone-level decryption policy is wrong.
I post a couple of screens for completeness, decrypt, nat, security and logs
Actually topology: internet--->router(dnat to ptp-fw)--->FW(dnat to synology TCP 5001)---->SYNOLOGY
Thanks in advice,
Angelo.
09-05-2022 08:15 AM - edited 09-05-2022 08:27 AM
There are other posts for such issues and you can google them but "PTP-FW-WAN2" is the destination address in your nat and security policies and for the security policy I think it should the translated internal zone address "SYNLOGY-NAC-...".
If you still have issues see drop packet captures, global counters, flow basic etc:
Still check that the app is indeed using normal SSL and that it is not using pinned SSL certs that can't be decrypted. You can look at the SSL logs:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS
10-13-2022 02:24 PM
If you managed to get the needed answers, please flag the question as answered.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
