Use MP SSL Session Cache

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use MP SSL Session Cache

Cyber Elite
Cyber Elite

when i run the below command 


show system setting ssl-decrypt setting


vsys : vsys1
Forward Proxy Ready : yes
Inbound Proxy Ready : no
Disable ssl : no
Disable ssl-decrypt : no
Notify user : no
Proxy for URL : no
Wait for URL : yes
Block revoked Cert : yes
Cert Status Query Timeout : 5
URL Category Query Timeout : 5
Fwd proxy server cert's rsa key size: 0
Fwd proxy server cert's ecdsa key size: 0
Use Cert Cache : yes
Verify CRL : no
Verify OCSP : no
CRL Status receive Timeout : 5
OCSP Status receive Timeout : 5
Use MP SSL Session Cache : yes
Use TCP SACK Option : yes


Need to understand do we use MP for ssl decryt???????




Help the community: Like helpful comments and mark solutions.

L7 Applicator

Please include your PAN-OS version and platform if possible when posting questions, it can really help in diagnosing issues.


Some platforms (such as PA-5000 and the older PA-7000 NPCs) don't have enough memory on the DP to effectively cache SSL sessions compared to how many decryption sessions they support. The setting you see leverages the MP memory to store the SSL session cache instead, giving the system the ability to effectively keep up with the demand of the platform. It's enabled by default, and can be modified by:


> configure
# set deviceconfig setting ssl-decrypt use-mp-sess-cache <yes|no>
# commit

I wouldn't recommend touching it though, since it is working as designed. Removing it could cause your DP CPU to increase since it has less cache space for resuming previously-negotiated decrypted SSL (TLS) sessions. You can see the cache activity with:


> show system setting ssl-decrypt session-cache 


Thanks for reply.

Going forward will do that.

PAN OS 8.0.9


model: PA-5220


show system setting ssl-decrypt session-cache

Queued message buffers to MP: 0
Total messages to MP: 103628501 (1984004)
hosts (client/server) id/ticket age cipher_c cipher_s user


I will not modify the settings.

I see there lot of sssl conenctions


Are these SSL conections for active traffic?

Can you please explain me in more detail cache ssl sessions in MP?


Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!