SSL Inspection issues with GlobalProtect users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Inspection issues with GlobalProtect users

Cyber Elite
Cyber Elite

We're having some strange SSL/TLS Inspection errors while on GlobalProtect. We are getting unsupported-parameter errors while a user is connected to GlobalProtect trying to get to any internet site, including things like google.com. Doing a packet capture on the firewall it shows the connection trying to happen on tls 1.0 which we do indeed not allow as part of the decryption profile. This only happens while on GlobalProtect, other users with the same security policies and decryption polices applied work as intended and are decrypted as intended. 

 

This issue appears to have just started today, we updated PAN-OS to 10.2.9-h1 last week. This issue consistently happens on Chrome and Edge, but the issue seems to be almost non existent on Firefox. Which none of these browsers have tls 1.0 enabled. Even on the same computer, it works fine on-prem but has issues on GlobalProtect. Being its the weird combination of GlobalProtect users while using Chromium browsers, not sure which side is incorrectly acting on tls 1.0. I only see unsupported parameter or decryption error as the session end reason in the traffic logs, there are no errors in the decryption logs. Have tested on GP 6.0.7, 6.2.2, and 6.2.3, we are running PAN-OS 10.2.9-h1.

 

Unchecking the unsupported mode checks block fixes fixes the issue and gets us running for now.

 

Has anyone experienced something similar or a direction to look? We've also got a TAC case open.

23 REPLIES 23


    • PAN ID: PAN-253546
    • Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0

10.1.14 dropped yesterday, with no mention in the release notes of this bug.  Is it fixed in that version, or do we need to wait another couple months?

L1 Bithead

i'm not seeing anything related in the 1.1.14 release notes?
someone got it tested yet?

Hello,

Thanks for your post. What about the 10.2 ? Because there is not 10.2.10 yet... I did some wireshark capture and the palo alto is downgrading the protocol in my case from TLS1.3 to TLS1.2. This is one of the expected behaviour BUT why it is downgrading in TLS1.2 and not in TLS1.3 without the PQC algo??? I opened a TAC for that.

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/post-quantum-cryptography-dete...

Have a great day,

L1 Bithead

Hi,

 

I also have a case open in regards to the issue. TAC confirmed the mentioned versions 

  • Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0

But we still have the issue in 10.1.14-h2 and I am also wondering why it is not mentioned in the release notes.

L2 Linker

Hi, i am wondering the same thing. 

I have seen this in the 11.2 release note : "Post-quantum cryptography (PQC) is all about the next-gen cryptographic algorithms. These babies replace the old-school ones like Diffie Hellman, RSA, and elliptic curve, which are sitting ducks for those quantum computers. With PAN-OS 11.2 Quasar, we're extending the post-quantum safe VPN introduced in PAN-OS 11.1 Cosmos by introducing PQC algorithms to create quantum-safe hybrid keys."

This functionality is available in 11.1: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/post-quantum-cryptography-dete... est celle de la version 11.1.There is no reference about PQC in previous versions.

FYI : 11.1.2-h3 is the preferred release.

Since you have an open case, its time to ask PAN TAC. If the fixed version changed, we all would appreciate the update!

Hello,

 

those version have now come out.

Did those release fixed the issue ?

As I don't see anything in the release notes. no mention of QPC neither Chrome neither the keyword of Kyber 768

many thanks

 

Yes, it was fixed with the mentioned version. But when I remember correctly not immediately. Might require restart of services or appliance.

L3 Networker

Updated list of code levels with fixes for PAN-253546. Thank you to PAN TAC:

  • 12.1.0
  • 11.2.1, 11.2.2,
  • 11.1.4, 11.1.5, 11.1.3-h2, 11.1.2-h9
  • 11.0.7
  • 10.2.10, 10.2.11, 10.2.4-h19, 10.2.7-h11, 10.2.9-h6, 10.2.8-h10
  • 10.1.14
  • 21587 Views
  • 23 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!