11-14-2017 01:59 PM
Hello.
One of my users was trying to go to:
https://mn.b3benchmarking.com/Launch
We have SSL forward proxy enabled. If I exclude the site from decryption is comes up fine. We are not using any decryption profiles.
Can anyone tell my why the sites won't come up?
I did run a check using
https://www.ssllabs.com/ssltest/analyze.html?d=mn.b3benchmarking.com
but am not sure how to interpret the output.
Thanks,
Dannon
11-15-2017 10:08 AM
After looking at the SSL Labs report for this website and seeing all the issues... Try getting in contact with the website owner to fix their site (I have had to do this myself on several occasions). Then, if they don't fix their site and you still require access, create a decryption policy that excludes this one URL.
We are running PAN-OS 8.0.5, and the webpage doesn't load for me either.
11-15-2017 01:17 AM
Hi @dannon,
What PAN-OS are you running ? Note that older PAN-OS versions have less supported ciphers :
https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites
The site you mentioned seems to support only older protocols (no TLS 1.1, 1.2 or 1.3). You might have configured a Min version on your firewall.
Also you might have configured your decryption in such a way to block unsupported versions.
Have you checked the global counters for possible issues ?
The "show counter global" command will show if a cipher suite is unsupported.
With a PCAP filter applied and using delta counters:
> show counter global filter packet-filter yes delta yes
or
> show counter global filter delta yes | match "ssl_server_cipher_not_supported"
Hope this helps,
-Kim.
11-15-2017 10:08 AM
After looking at the SSL Labs report for this website and seeing all the issues... Try getting in contact with the website owner to fix their site (I have had to do this myself on several occasions). Then, if they don't fix their site and you still require access, create a decryption policy that excludes this one URL.
We are running PAN-OS 8.0.5, and the webpage doesn't load for me either.
11-15-2017 10:46 AM
Thanks.
We run 8.0.5 and I'm glad it's not unique to our setup.
I have excluded the website for the time being.
Dannon
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
