06-28-2020 02:15 AM
Hello Everyone,
I am running PAN-OS 9.0.9 on my PA-3020. When enabling SSL forward proxy and try to access google.com, I get the tls13_downgradedetected error on chrome. I get the same problem even when using other browsers but different error description.
When I first applied the SSL forward proxy configuration, I was running PAN-OS 8.1.3. So I followed the instructions mentioned in previous posts to upgrade to 8.1.4. So, I upgraded to version PAN-OS 9.0.9 thinking that it should have this issue resolved as well. But the problem is still there.
Can someone help me figure out how to overcome this issue? Is it an issue with the PAN-OS version I am running? or some configuration that I need to apply?
06-28-2020 06:15 AM
Hi
Please take the action recommended below if you have enabled SSL decryption forward proxy. This is required for users to access Gmail and other websites and applications using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 73. The stable build of Google Chrome version 73 may be available in mid-March 2019, and if your users use a pre-stable build of Google Chrome, they will experience the issue outlined below earlier.
Action Required: Upgrade to a supported PAN-OS release version
PAN-OS 8.1.4 or above 8.1.x Preferred Version
Impact:
Without upgrading to one of the above maintenance releases, users may no longer be able to access Gmail and other websites and applications that utilize TLS 1.3 when SSL forward proxy decryption is in use. As a result, your users will receive the following web browser error: ‘ERR_TLS13_DOWNGRADE_DETECTED’.
By upgrading PAN-OS to one of the above maintenance releases, your users will be able to continue to access Gmail and other TLS 1.3 enabled websites and applications when using browsers that exhibit this behavior.
Thank you,
Mohd Yasin
Changelog:
01/22 - Updated to reflect the availability of maintenance releases
01/23 - Updated to reflect new Chrome release version
06-28-2020 06:15 AM
Hi
Please take the action recommended below if you have enabled SSL decryption forward proxy. This is required for users to access Gmail and other websites and applications using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 73. The stable build of Google Chrome version 73 may be available in mid-March 2019, and if your users use a pre-stable build of Google Chrome, they will experience the issue outlined below earlier.
Action Required: Upgrade to a supported PAN-OS release version
PAN-OS 8.1.4 or above 8.1.x Preferred Version
Impact:
Without upgrading to one of the above maintenance releases, users may no longer be able to access Gmail and other websites and applications that utilize TLS 1.3 when SSL forward proxy decryption is in use. As a result, your users will receive the following web browser error: ‘ERR_TLS13_DOWNGRADE_DETECTED’.
By upgrading PAN-OS to one of the above maintenance releases, your users will be able to continue to access Gmail and other TLS 1.3 enabled websites and applications when using browsers that exhibit this behavior.
Thank you,
Mohd Yasin
Changelog:
01/22 - Updated to reflect the availability of maintenance releases
01/23 - Updated to reflect new Chrome release version
06-28-2020 06:30 AM
Thank you Mohammed. I have already upgraded to PAN-OS 9.0.9 but still facing the same issue.
07-07-2020 12:45 AM
Just wanted to update this post to mention that the upgrade did solve the problem. I was just running through a different type of problem after the upgrade.
07-07-2020 01:28 AM
Could you brief of your running problem
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
