09-05-2024 05:48 AM
Since a few month we got more and more random outbound decryption errors. When the user wait a moment the website will automatically open correct. The browser error messages are "err_connection_reset" or net:err_cert_authority_invalid". In the decryption error log i see errors like "certificate verifiy failed", "malloc failure", "General TLS protocol error". At the moment i have installed the Version 10.2.10-h4 at our PA-820 (HA). Did anyone have the same problems. I have an opened a ticket and at the moment i wait for further actions.
09-05-2024 05:55 AM
Identify site where decryption is failing.
Go to SSLLabs and run test.
Does website include intermediate certificate or is it extra download?
If website is not sending intermediate then Linux based machines (including Palo firewall) don't download it.
09-05-2024 06:11 AM
This isn´t a problem with the sites ( like missing Intermediate Certificate). I open a site and i get the error message. When i close the site and open it a little bit later again the site will be correct loaded (our when i leave the site and refresh it a little bit later). I think it a decryption performance problem but we can´t see it in the firewall.
09-05-2024 07:06 AM - edited 09-05-2024 07:06 AM
One of your errors was "certificate verifiy failed".
Does it make any difference if you temporarily (just for testing) uncheck "Block sessions with unknown certificate status" and "Block sessions on certificate status check timeout" under Decryption Profile?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
