Outside of minimum and maximum supported tls versions and ciphers what are some things to look for on SSL Labs that would be breaking decryption. In the Palo decryption logs if it shows error "Early close notify" what would be something to look for as the root cause?
Are you having issues with ssl decryption if users access the site?
SSL Labs by design will try different cipher settings and tests site security posture so seeing logs about failed connections in firewall logs is expected when those tests are performed.
Hi @Claw4609 ,
I agree with you. It would be nice if PANW had an index of decryption errors. I found this -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry... but an index of every error and cause would be nice.
Claw4609, I have recently just started to see a ton of early close notify Protocol errors on our PA's for and it seems to have just started. Some of the sites are well known sites with a fully trusted chains such as youtube.com and connectivitycheck.gstatic.com.
Is that what you are seeing?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!