04-22-2024 02:34 PM - edited 04-22-2024 02:36 PM
We're having some strange SSL/TLS Inspection errors while on GlobalProtect. We are getting unsupported-parameter errors while a user is connected to GlobalProtect trying to get to any internet site, including things like google.com. Doing a packet capture on the firewall it shows the connection trying to happen on tls 1.0 which we do indeed not allow as part of the decryption profile. This only happens while on GlobalProtect, other users with the same security policies and decryption polices applied work as intended and are decrypted as intended.
This issue appears to have just started today, we updated PAN-OS to 10.2.9-h1 last week. This issue consistently happens on Chrome and Edge, but the issue seems to be almost non existent on Firefox. Which none of these browsers have tls 1.0 enabled. Even on the same computer, it works fine on-prem but has issues on GlobalProtect. Being its the weird combination of GlobalProtect users while using Chromium browsers, not sure which side is incorrectly acting on tls 1.0. I only see unsupported parameter or decryption error as the session end reason in the traffic logs, there are no errors in the decryption logs. Have tested on GP 6.0.7, 6.2.2, and 6.2.3, we are running PAN-OS 10.2.9-h1.
Unchecking the unsupported mode checks block fixes fixes the issue and gets us running for now.
Has anyone experienced something similar or a direction to look? We've also got a TAC case open.
04-30-2024 06:40 PM
Some additional info that might be useful:
Impacts:
05-03-2024 07:11 PM
I have received this from our TAC case:
We have internal reported issue and the target fix versions are:
10.2.11, 10.1.14, 11.1.5, 11.0.7
04-25-2024 12:12 PM
Faced the same issue after upgrading to 10.2.8-h3. Also observed the same behavior on 10.2.9-h1 as well. Running GP version: 6.1.4, the same issue was on 5.1 version as well.
04-25-2024 12:17 PM
Palo sent this for a Prisma Access alert, however this appears to be the cause of the issue for our on-prem environment as well as I am able to replicate the issue on demand by editing this flag in the browser. If we change these flags in Chrome and Edge it resolves the issue. We for now have unchecked the "Block sessions with unsupported" checkbox in the SSL Decryption profile for the time being which is allowing us to get by without changing the flags on the endpoints at this time. We're working with TAC on what Palos recommendations are.
|
04-25-2024 12:28 PM
Thank You @Claw4609 for sharing.
04-26-2024 10:11 AM
Hello Team
Is this a known issue, is anybody aware if this has been identified as bug?
04-26-2024 12:12 PM
We just started with the exact same behavior as OP on 4/20. GP clients are the only ones affected... 10.2.8-h3 or 10.2.9-h1 ... any version of GP. Disabling the Kyber flags fixes the issue as well as the other suggestions in this thread.
04-30-2024 06:40 PM
Some additional info that might be useful:
Impacts:
05-01-2024 04:26 AM
With the hybridized kyber TLS 1.3 support enabled by Google which affects SSL decrypt, is this specifically impacting PAN-OS 10.1, 10.2 and 11.0? I ask out of curiosity because quantum security is in code 11.1 which may or may not be applicable in this scenario.
We're running 10.1.11-h4 and GP 6.0.7.
05-03-2024 01:12 PM
seeing the same issue with GP users in our environment. No issues when they are on prem or on prem wifi.
Disabling the chrome flag looks to resolve the issue. Thanks for the suggestion!
This was a nasty one, took a good while to track down the very odd intermittent symptoms.
Since this is only happening to users on GP, is there anything that palo can/will address on this?
We are running PANOS - 10.1.9-H8 - GP 6.1.4
05-03-2024 07:11 PM
I have received this from our TAC case:
We have internal reported issue and the target fix versions are:
10.2.11, 10.1.14, 11.1.5, 11.0.7
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
