SSL Inbound Inspection

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Inbound Inspection

L1 Bithead


I have setup a decryption policy to decrypt inbound SSL traffic for the Exchange web mail server. However, when I check the logs I see only some traffic as decrypted and some arnn't. Refer below screenshots,



Why isn't the policy not decrypting all the traffic?

I'm trying to decommission the Microsoft ISA server used as reverse proxy for Exchnage Web mail. Is it safe to use inbound SSL inspection and NAT the traffic into the internal exchnage sever?



L7 Applicator

This seems normal to me.  In the same way that not every thing is fully inspected in normal traffic streams but goes through the fast path, ssl decryption is similarly situated.  Enough needs to be seen for app-id and threat scans to do their job and the rest is fast path through.

I'm not sure I follow your comment on MS ISA server.  The Palo Alto is a firewall, NOT a reverse proxy.  In some ways a reverse proxy is better but in other ways the Palo Alto inspections are a big improvement. 

If you want to reverse proxy and/or load balance the traffic you would still need another appliance to replace the ISA.  This would sit behind the Palo Alto so all the inspection and firewall protection would be in place, but the traffic is buffered by the reverse proxy towards the servers.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

maybe one of the clients used an unsupported SSL chiper suite because they are selected by clients

L5 Sessionator

Below document show the support cipher suite.

Which Ciphers are Supported by PAN-OS and Panorama?

Like kdd mentioned it is possible it that they used unsupported cipher suite.

Hope this helps.




Thanks for the response. It make sense. I'm not specifically looking for reverse proxy solution. If I can achive similar security by SSL inspection that would be suffient.

L3 Networker



I have the same situation with inbound inspection.

same source and destination ip addresses on logs but sometimes ssl(not-decrypted), sometimes web-browsing(decrypted)

what can be the reason for that ?



The same thing is still true today; PAN doesn't support the full cipher suite, additonally as long as the PA can get the applicaiton ID and do a threat scan it lets other traffic through on the fast path becuase of processing restrictions. It's also important to note that if you are using a smaller device it's very possible that you are hitting the session limit on your PA, anything over that limit will not be decrypted because the PA can not spare the system resources required to process the request and keep the traffic flowing through the firewall. Without a little more back story and actually looking at the logs on the device it's pretty impossible to say if you are encountering normal behavior or if something with your decryption policy doesn't sit right with your setup. 

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!