- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-22-2024 02:34 PM - edited 04-22-2024 02:36 PM
We're having some strange SSL/TLS Inspection errors while on GlobalProtect. We are getting unsupported-parameter errors while a user is connected to GlobalProtect trying to get to any internet site, including things like google.com. Doing a packet capture on the firewall it shows the connection trying to happen on tls 1.0 which we do indeed not allow as part of the decryption profile. This only happens while on GlobalProtect, other users with the same security policies and decryption polices applied work as intended and are decrypted as intended.
This issue appears to have just started today, we updated PAN-OS to 10.2.9-h1 last week. This issue consistently happens on Chrome and Edge, but the issue seems to be almost non existent on Firefox. Which none of these browsers have tls 1.0 enabled. Even on the same computer, it works fine on-prem but has issues on GlobalProtect. Being its the weird combination of GlobalProtect users while using Chromium browsers, not sure which side is incorrectly acting on tls 1.0. I only see unsupported parameter or decryption error as the session end reason in the traffic logs, there are no errors in the decryption logs. Have tested on GP 6.0.7, 6.2.2, and 6.2.3, we are running PAN-OS 10.2.9-h1.
Unchecking the unsupported mode checks block fixes fixes the issue and gets us running for now.
Has anyone experienced something similar or a direction to look? We've also got a TAC case open.
05-31-2024 01:50 AM
- PAN ID: PAN-253546
- Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0
10.1.14 dropped yesterday, with no mention in the release notes of this bug. Is it fixed in that version, or do we need to wait another couple months?
06-03-2024 02:31 AM
i'm not seeing anything related in the 1.1.14 release notes?
someone got it tested yet?
06-14-2024 02:42 AM
Hello,
Thanks for your post. What about the 10.2 ? Because there is not 10.2.10 yet... I did some wireshark capture and the palo alto is downgrading the protocol in my case from TLS1.3 to TLS1.2. This is one of the expected behaviour BUT why it is downgrading in TLS1.2 and not in TLS1.3 without the PQC algo??? I opened a TAC for that.
Have a great day,
07-23-2024 12:41 AM
Hi,
I also have a case open in regards to the issue. TAC confirmed the mentioned versions
But we still have the issue in 10.1.14-h2 and I am also wondering why it is not mentioned in the release notes.
07-23-2024 01:10 AM
Hi, i am wondering the same thing.
I have seen this in the 11.2 release note : "Post-quantum cryptography (PQC) is all about the next-gen cryptographic algorithms. These babies replace the old-school ones like Diffie Hellman, RSA, and elliptic curve, which are sitting ducks for those quantum computers. With PAN-OS 11.2 Quasar, we're extending the post-quantum safe VPN introduced in PAN-OS 11.1 Cosmos by introducing PQC algorithms to create quantum-safe hybrid keys."
This functionality is available in 11.1: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/post-quantum-cryptography-dete... est celle de la version 11.1.There is no reference about PQC in previous versions.
FYI : 11.1.2-h3 is the preferred release.
07-23-2024 10:52 AM
Since you have an open case, its time to ask PAN TAC. If the fixed version changed, we all would appreciate the update!
09-24-2024 07:41 AM
Hello,
those version have now come out.
Did those release fixed the issue ?
As I don't see anything in the release notes. no mention of QPC neither Chrome neither the keyword of Kyber 768
many thanks
09-24-2024 06:30 PM
Yes, it was fixed with the mentioned version. But when I remember correctly not immediately. Might require restart of services or appliance.
11-18-2024 05:54 PM
Updated list of code levels with fixes for PAN-253546. Thank you to PAN TAC:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!