SSL inbound inspection wildcard certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL inbound inspection wildcard certificate

L2 Linker

Trying to configure ssl inbound inspection for one of my web sites hosted internally. The IIS server has many sites being served thru host headers. All of the SSL bound sites use the same wildcard certificate *.external-domain-name on this server. I export this cert with key and import into pa.

I make decryption policy to match a specific url in url category for the site I am testing with. When I watch the monitor i see session_end_reason eq decrypt-unsupport-param in session end reason. I am not sure what I am doing wrong.

Wildcard certs not supports for inbound inspection maybe? 

Thanks for reading.

4 REPLIES 4

L4 Transporter

What version of PAN-OS are you running?  If you are using newer crypto on your certificates you will need PAN-OS 7.1 or higher.

running 7.1.5

We are still looking for a fix with this. We have since upgraded to 8.0.5 and it still doesnt work. Anyone had any success with this?

Hi @dkordyban

 

Does your IIS only accept connections with SNI or does it serve also a default website for connections without SNI? Did you capture traffic between the firewall and the webserver -> does the firewall send the SNI attribute?

Did you open a support case regarding this issue?

  • 3473 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!