04-22-2024 02:34 PM - edited 04-22-2024 02:36 PM
We're having some strange SSL/TLS Inspection errors while on GlobalProtect. We are getting unsupported-parameter errors while a user is connected to GlobalProtect trying to get to any internet site, including things like google.com. Doing a packet capture on the firewall it shows the connection trying to happen on tls 1.0 which we do indeed not allow as part of the decryption profile. This only happens while on GlobalProtect, other users with the same security policies and decryption polices applied work as intended and are decrypted as intended.
This issue appears to have just started today, we updated PAN-OS to 10.2.9-h1 last week. This issue consistently happens on Chrome and Edge, but the issue seems to be almost non existent on Firefox. Which none of these browsers have tls 1.0 enabled. Even on the same computer, it works fine on-prem but has issues on GlobalProtect. Being its the weird combination of GlobalProtect users while using Chromium browsers, not sure which side is incorrectly acting on tls 1.0. I only see unsupported parameter or decryption error as the session end reason in the traffic logs, there are no errors in the decryption logs. Have tested on GP 6.0.7, 6.2.2, and 6.2.3, we are running PAN-OS 10.2.9-h1.
Unchecking the unsupported mode checks block fixes fixes the issue and gets us running for now.
Has anyone experienced something similar or a direction to look? We've also got a TAC case open.
05-31-2024 01:50 AM
- PAN ID: PAN-253546
- Fixed versions: 11.2.2, 10.2.11, 10.1.14, 11.1.5, 11.0.7, 10.2.4-h19, 12.1.0
10.1.14 dropped yesterday, with no mention in the release notes of this bug. Is it fixed in that version, or do we need to wait another couple months?
06-03-2024 02:31 AM
i'm not seeing anything related in the 1.1.14 release notes?
someone got it tested yet?
06-14-2024 02:42 AM
Hello,
Thanks for your post. What about the 10.2 ? Because there is not 10.2.10 yet... I did some wireshark capture and the palo alto is downgrading the protocol in my case from TLS1.3 to TLS1.2. This is one of the expected behaviour BUT why it is downgrading in TLS1.2 and not in TLS1.3 without the PQC algo??? I opened a TAC for that.
Have a great day,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
