SSL Inspection issues with GlobalProtect users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Inspection issues with GlobalProtect users

Cyber Elite
Cyber Elite

We're having some strange SSL/TLS Inspection errors while on GlobalProtect. We are getting unsupported-parameter errors while a user is connected to GlobalProtect trying to get to any internet site, including things like google.com. Doing a packet capture on the firewall it shows the connection trying to happen on tls 1.0 which we do indeed not allow as part of the decryption profile. This only happens while on GlobalProtect, other users with the same security policies and decryption polices applied work as intended and are decrypted as intended. 

 

This issue appears to have just started today, we updated PAN-OS to 10.2.9-h1 last week. This issue consistently happens on Chrome and Edge, but the issue seems to be almost non existent on Firefox. Which none of these browsers have tls 1.0 enabled. Even on the same computer, it works fine on-prem but has issues on GlobalProtect. Being its the weird combination of GlobalProtect users while using Chromium browsers, not sure which side is incorrectly acting on tls 1.0. I only see unsupported parameter or decryption error as the session end reason in the traffic logs, there are no errors in the decryption logs. Have tested on GP 6.0.7, 6.2.2, and 6.2.3, we are running PAN-OS 10.2.9-h1.

 

Unchecking the unsupported mode checks block fixes fixes the issue and gets us running for now.

 

Has anyone experienced something similar or a direction to look? We've also got a TAC case open.

2 accepted solutions

Accepted Solutions

L3 Networker

7/31/2024 Update: Updated ETA for 10.2.11, 11.2.2

7/15/2024 Update: Current ETA for 10.2.11, addl bug info.

5/14/2024 Update: See below - Bug ID and PANOS fixed versions.

5/6/2024 Update: See below.

 

Some additional info that might be useful:

 

Impacts:

  • Any Chromium-based browser (Google Chrome, ARC, Brave, Opera, MS Edge, etc.) gets Kyber enabled by default.
    • Workaround: As noted above, "Disabling the Kyber flags fixes the issue" for now.
  • Any applications that use the 3/22/2024 or later versions of the Chromium Embedded Framework (CEF) may also have Kyber on by default.
    • The macOS Slack Desktop App may be one of these apps. 
      • Workarounds: TBD.
      • These may be more challenging because these apps that embed CEF don't typically have the flags exposed.

 

5/6/2024 Update:

  • Chromium Embedded Framework (CEF), Slack, and Kyber:
    • I have traffic logs of traffic from the macOS Slack Desktop app showing the typical decrypt-unsupport-param" errors seen with TLS1.3 traffic with Kyber enabled.
  • SSL Decryption Workaround:
    • Per PAN TAC, the workaround in the SSL Decryption is to disable the following unsupported mode checks. This will allow all TLS1.3 packets with Kyber enabled to bypass SSL Decryption.
      • The upside is that users are functional.
      • The downside is that a significant (and growing) percentage of traffic is now bypassing SSL Decryption.
    • Unblock unsupported mode checksUnblock unsupported mode checks
    • This has an unintended consequence; Any traffic with unsupported SSL/TLS versions is now allowed to bypass SSL Decryption. So, you may also need to also broaden the min/max SSL/TLS Protocol versions in order to catch as much encrypted traffic as possible:
    • SSL Versions.png

 

5/14/2024 Update

  • Updates from my TAC case:
    • PAN ID: PAN-253546
    • Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0

 

7/15/2024 & 7/31/2024 Update

  • "The issue is caused when the large client hello is split into multiple packets and these arrive as out of order on the firewall." - PAN TAC.
    • Observation: This happened with Chromium-based browsers, including Google Chrome, on a very regular basis.
  • 10.2.11, one of the fixed versions, is scheduled to ship around the end of July 2024 mid-August 2024.
    • Keep in mind that its software - it ships when PAN says its ready. The date here is an estimate only.
  • Shipped: 11.2.2 shipped on 7/31/2024.
  • Not Kyber related, but related and useful: As of PANOS 11.1, PAN firewalls can detect, block, and log the use of PQC and hybrid PQC algorithms in TLSv1.3 session...

View solution in original post

Cyber Elite
Cyber Elite

I have received this from our TAC case: 

 

We have internal reported issue and the target fix versions are:
10.2.11, 10.1.14, 11.1.5, 11.0.7

View solution in original post

23 REPLIES 23

L1 Bithead

Faced the same issue after upgrading to 10.2.8-h3. Also observed the same behavior on 10.2.9-h1 as well. Running GP version: 6.1.4, the same issue was on  5.1 version as well.

Cyber Elite
Cyber Elite

Palo sent this for a Prisma Access alert, however this appears to be the cause of the issue for our on-prem environment as well as I am able to replicate the issue on demand by editing this flag in the browser. If we change these flags in Chrome and Edge it resolves the issue. We for now have unchecked the "Block sessions with unsupported" checkbox in the SSL Decryption profile for the time being which is allowing us to get by without changing the flags on the endpoints at this time. We're working with TAC on what Palos recommendations are. 

 

 
 

Recommendations for Addressing Site Access Challenges with Decryption on Google Chrome Browser 124 and Higher

 
New incident: Monitoring
 
For customers encountering challenges while accessing specific sites with decryption enabled and upon receiving "decrypt-unsupport-param" logs, particularly when using Google Chrome browser version 124 and higher, we suggest trying the following steps:

Issue Identification: The observed difficulties may arise from Kyber Support integrated by Chrome for the TLS 1.3 version.

Chrome Flags Configuration: Please review the configuration settings in Chrome Flags. This can be done by navigating to "chrome://flags/#enable-tls13-kyber" and examining the setup.

Disabling the Option: We encourage you to consider disabling the Kyber Support option and then relaunching the browser to assess if it resolves the issue.


If you continue to experience any difficulties, please open a support case, sincerely appreciate your patience as we diligently work to resolve this matter.

L1 Bithead

Thank You @Claw4609  for sharing.

L3 Networker

Hello Team

Is this a known issue, is anybody aware if this has been identified as bug?

L0 Member

We just started with the exact same behavior as OP on 4/20.  GP clients are the only ones affected... 10.2.8-h3 or 10.2.9-h1 ... any version of GP.  Disabling the Kyber flags fixes the issue as well as the other suggestions in this thread.

L3 Networker

7/31/2024 Update: Updated ETA for 10.2.11, 11.2.2

7/15/2024 Update: Current ETA for 10.2.11, addl bug info.

5/14/2024 Update: See below - Bug ID and PANOS fixed versions.

5/6/2024 Update: See below.

 

Some additional info that might be useful:

 

Impacts:

  • Any Chromium-based browser (Google Chrome, ARC, Brave, Opera, MS Edge, etc.) gets Kyber enabled by default.
    • Workaround: As noted above, "Disabling the Kyber flags fixes the issue" for now.
  • Any applications that use the 3/22/2024 or later versions of the Chromium Embedded Framework (CEF) may also have Kyber on by default.
    • The macOS Slack Desktop App may be one of these apps. 
      • Workarounds: TBD.
      • These may be more challenging because these apps that embed CEF don't typically have the flags exposed.

 

5/6/2024 Update:

  • Chromium Embedded Framework (CEF), Slack, and Kyber:
    • I have traffic logs of traffic from the macOS Slack Desktop app showing the typical decrypt-unsupport-param" errors seen with TLS1.3 traffic with Kyber enabled.
  • SSL Decryption Workaround:
    • Per PAN TAC, the workaround in the SSL Decryption is to disable the following unsupported mode checks. This will allow all TLS1.3 packets with Kyber enabled to bypass SSL Decryption.
      • The upside is that users are functional.
      • The downside is that a significant (and growing) percentage of traffic is now bypassing SSL Decryption.
    • Unblock unsupported mode checksUnblock unsupported mode checks
    • This has an unintended consequence; Any traffic with unsupported SSL/TLS versions is now allowed to bypass SSL Decryption. So, you may also need to also broaden the min/max SSL/TLS Protocol versions in order to catch as much encrypted traffic as possible:
    • SSL Versions.png

 

5/14/2024 Update

  • Updates from my TAC case:
    • PAN ID: PAN-253546
    • Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0

 

7/15/2024 & 7/31/2024 Update

  • "The issue is caused when the large client hello is split into multiple packets and these arrive as out of order on the firewall." - PAN TAC.
    • Observation: This happened with Chromium-based browsers, including Google Chrome, on a very regular basis.
  • 10.2.11, one of the fixed versions, is scheduled to ship around the end of July 2024 mid-August 2024.
    • Keep in mind that its software - it ships when PAN says its ready. The date here is an estimate only.
  • Shipped: 11.2.2 shipped on 7/31/2024.
  • Not Kyber related, but related and useful: As of PANOS 11.1, PAN firewalls can detect, block, and log the use of PQC and hybrid PQC algorithms in TLSv1.3 session...

L0 Member

With the hybridized kyber TLS 1.3 support enabled by Google which affects SSL decrypt, is this specifically impacting PAN-OS 10.1, 10.2 and 11.0? I ask out of curiosity because quantum security is in code 11.1 which may or may not be applicable in this scenario.

 

We're running 10.1.11-h4 and GP 6.0.7. 

L0 Member

seeing the same issue with GP users in our environment. No issues when they are on prem or on prem wifi.
Disabling the chrome flag looks to resolve the issue. Thanks for the suggestion! 
This was a nasty one, took a good while to track down the very odd intermittent symptoms. 

Since this is only happening to users on GP, is there anything that palo can/will address on this? 

We are running PANOS - 10.1.9-H8 - GP 6.1.4

Cyber Elite
Cyber Elite

I have received this from our TAC case: 

 

We have internal reported issue and the target fix versions are:
10.2.11, 10.1.14, 11.1.5, 11.0.7

Did you by any chance upgrade to the recommended version and test?

Cyber Elite
Cyber Elite

We're currently running 10.2.9-h1and other have reported the issue on other versions. The targeted fix releases arent out yet, given they are two versions away my guess would be 4-6 months until release but Im asking TAC if they have an ETA.

Ah, my bad I did not look for 10.2 versions. Yes, I reported the issue with the TAC as well. We are on 10.1.11.  I am awaiting their response regarding fix versions and ETA. Thanks much! 

Is there a bug-id referenced in the case?

 

Cyber Elite
Cyber Elite

Not that they said at least, they just said they have an internal bug-id created. Also stated there is no current ETA on the targeted fix releases.

  • 2 accepted solutions
  • 21405 Views
  • 23 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!