12-20-2016 01:59 PM
Trying to configure ssl inbound inspection for one of my web sites hosted internally. The IIS server has many sites being served thru host headers. All of the SSL bound sites use the same wildcard certificate *.external-domain-name on this server. I export this cert with key and import into pa.
I make decryption policy to match a specific url in url category for the site I am testing with. When I watch the monitor i see session_end_reason eq decrypt-unsupport-param in session end reason. I am not sure what I am doing wrong.
Wildcard certs not supports for inbound inspection maybe?
Thanks for reading.
12-20-2016 02:26 PM
What version of PAN-OS are you running? If you are using newer crypto on your certificates you will need PAN-OS 7.1 or higher.
06-03-2018 11:31 AM
We are still looking for a fix with this. We have since upgraded to 8.0.5 and it still doesnt work. Anyone had any success with this?
06-03-2018 11:39 AM
Hi @dkordyban
Does your IIS only accept connections with SNI or does it serve also a default website for connections without SNI? Did you capture traffic between the firewall and the webserver -> does the firewall send the SNI attribute?
Did you open a support case regarding this issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
