09-10-2018 10:23 AM
I had ssl decryption in place on PA_5020 and it seems like during peak times, my internal data traffic is reaching max ssl decryption session limit and those beyond the limit are shown as decrypt error and are sent un-decrypted. Is there any solution for this besides hardware upgrade, offload ssl decrypt to proxy?
Thanks.
09-10-2018 10:58 AM
The 5020 has a relatively small Max concurrent decryption sessions limit of 15,872 in comparison to the rest of the platform limits. One way to get around this would be to take a look at what exactly you are decrypting and seeing if you can potentially leave out some traffic that you don't really care about.
Otherwise if you have that nailed down to simply what you require to actually be decrypted; then your solution would really be as you already stated, move it to a proxy or upgrade the hardware. Keeping in mind that the *200 series (5200/3200) are vastly better spec'd and the 5220 would bring you all the way up to 400,000 Max concurrent decryption sessions sessions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
