This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Use MP SSL Session Cache

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Use MP SSL Session Cache

MP18
Cyber Elite
Cyber Elite

‎10-29-2018 10:39 AM

when i run the below command 

 

show system setting ssl-decrypt setting

 

vsys : vsys1
Forward Proxy Ready : yes
Inbound Proxy Ready : no
Disable ssl : no
Disable ssl-decrypt : no
Notify user : no
Proxy for URL : no
Wait for URL : yes
Block revoked Cert : yes
Cert Status Query Timeout : 5
URL Category Query Timeout : 5
Fwd proxy server cert's rsa key size: 0
Fwd proxy server cert's ecdsa key size: 0
Use Cert Cache : yes
Verify CRL : no
Verify OCSP : no
CRL Status receive Timeout : 5
OCSP Status receive Timeout : 5
Use MP SSL Session Cache : yes
Use TCP SACK Option : yes

 

Need to understand do we use MP for ssl decryt???????

 

 

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
2 REPLIES 2

gwesson
L7 Applicator

‎10-30-2018 07:58 AM

Please include your PAN-OS version and platform if possible when posting questions, it can really help in diagnosing issues.

 

Some platforms (such as PA-5000 and the older PA-7000 NPCs) don't have enough memory on the DP to effectively cache SSL sessions compared to how many decryption sessions they support. The setting you see leverages the MP memory to store the SSL session cache instead, giving the system the ability to effectively keep up with the demand of the platform. It's enabled by default, and can be modified by:

 

> configure
# set deviceconfig setting ssl-decrypt use-mp-sess-cache <yes|no>
# commit

I wouldn't recommend touching it though, since it is working as designed. Removing it could cause your DP CPU to increase since it has less cache space for resuming previously-negotiated decrypted SSL (TLS) sessions. You can see the cache activity with:

 

> show system setting ssl-decrypt session-cache

 

MP18
Cyber Elite
Cyber Elite
In response to gwesson

‎10-30-2018 08:10 AM

Thanks for reply.

Going forward will do that.

PAN OS 8.0.9

 

model: PA-5220

 

show system setting ssl-decrypt session-cache

Queued message buffers to MP: 0
Total messages to MP: 103628501 (1984004)
hosts (client/server) id/ticket age cipher_c cipher_s user
--------------------------------------------------------------------------------

 

I will not modify the settings.

I see there lot of sssl conenctions

 

Are these SSL conections for active traffic?

Can you please explain me in more detail cache ssl sessions in MP?

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 2490 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks