Use MP SSL Session Cache

Reply
Highlighted
Cyber Elite

Use MP SSL Session Cache

when i run the below command 

 

show system setting ssl-decrypt setting

 

vsys : vsys1
Forward Proxy Ready : yes
Inbound Proxy Ready : no
Disable ssl : no
Disable ssl-decrypt : no
Notify user : no
Proxy for URL : no
Wait for URL : yes
Block revoked Cert : yes
Cert Status Query Timeout : 5
URL Category Query Timeout : 5
Fwd proxy server cert's rsa key size: 0
Fwd proxy server cert's ecdsa key size: 0
Use Cert Cache : yes
Verify CRL : no
Verify OCSP : no
CRL Status receive Timeout : 5
OCSP Status receive Timeout : 5
Use MP SSL Session Cache : yes
Use TCP SACK Option : yes

 

Need to understand do we use MP for ssl decryt???????

 

 

MP
Highlighted
L7 Applicator

Please include your PAN-OS version and platform if possible when posting questions, it can really help in diagnosing issues.

 

Some platforms (such as PA-5000 and the older PA-7000 NPCs) don't have enough memory on the DP to effectively cache SSL sessions compared to how many decryption sessions they support. The setting you see leverages the MP memory to store the SSL session cache instead, giving the system the ability to effectively keep up with the demand of the platform. It's enabled by default, and can be modified by:

 

> configure
# set deviceconfig setting ssl-decrypt use-mp-sess-cache <yes|no>
# commit

I wouldn't recommend touching it though, since it is working as designed. Removing it could cause your DP CPU to increase since it has less cache space for resuming previously-negotiated decrypted SSL (TLS) sessions. You can see the cache activity with:

 

> show system setting ssl-decrypt session-cache 

 

Highlighted
Cyber Elite

Thanks for reply.

Going forward will do that.

PAN OS 8.0.9

 

model: PA-5220

 

show system setting ssl-decrypt session-cache

Queued message buffers to MP: 0
Total messages to MP: 103628501 (1984004)
hosts (client/server) id/ticket age cipher_c cipher_s user
--------------------------------------------------------------------------------

 

I will not modify the settings.

I see there lot of sssl conenctions

 

Are these SSL conections for active traffic?

Can you please explain me in more detail cache ssl sessions in MP?

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!