have a decryption policies for inbound ssl decryption to a webpage. Therefor I have included the private Certificate.
At decryption monitor there is a message:
( error eq 'Unsupported cipher. Supported client cipher bitmask: 0x00000000. Supported decrypt profile cipher bitmask: 0x00000014.' )
Found this link https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry... but my bitmask is 0x00 ?
How can I fix it? I chose the strict ssl control decryption profile but no help.
Hi @Moritz ,
Supported cipher suites will vary depending on your PAN-OS version. What's your current version and how is your decryption profile configured ?
As an example, some earlier PAN-OS versions only supported DHE or ECDHE for SSL Forward Proxy (it wasn't not supported for Inbound Inspection).
You might want to do some more debugging and check on which cipher suite client/server agree upon in the SSL handshake and compare that to the compatibility matrix to see if it's actually supported:
Hope it helps
You need to look at the supported cipher suite document that @kiwi linked and pass that along to the person running your web server or load balancer. The website and the firewall need to have the same ciphers enabled so that the firewall can actually proxy the traffic. There's not a magic solution to this one, you need to work with your web admin.
Hi @Moritz ,
What @BPry said 🙂 !
My guess is that the web server offers a cipher suite that the PA doesn't support. If you can run a PCAP you should be able to capture the SSL handshake and get information on the cipher suite being used.
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!