This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About ACortes
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About ACortes
10-21-2020
17Posts
2Likes
2Solutions
Oct 21, 2020Last Visited
User
Activity
User
Profile
Latest posts by ACortes
| Subject | Views | Posted |
|---|---|---|
| 6824 | 03-25-2019 01:00 AM | |
| 5320 | 03-22-2019 06:04 AM | |
| 4521 | 03-22-2019 05:53 AM | |
| 20821 | 03-22-2019 02:09 AM | |
| 15486 | 10-21-2018 10:46 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-22-2019 06:04 AM | |
| 1 Like | 03-22-2019 02:09 AM |
User Badges
Community Statistics
| Member Since | 06-24-2015 12:52 AM |
| Date Last Visited | 10-21-2020 04:00 AM |
| Posts | 17 |
| Total Likes Received | 2 |
10-18-2018
11:57 PM
I've experiencing similar problems with ssl inbound decryption, session end reasons an decryption errors just after upgrading to 8.0.6: https://live.paloaltonetworks.com/t5/General-Topics/SSL-decryption-inbound-issue/m-p/209561 Look at 8.1.3 addressed issue PAN-97208 https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os-release-notes/pan-os-8-1-addressed-issues/pan-os-8-1-3-addressed-issues You may try to upgrade to 8.1.3 or 8.1.4 and check if it's related.
... View more
04-11-2018
12:38 AM
@BPry wrote: In my experiance if the traffic can't be encrypted you'll usually run into issues... That sounds interesting. This concrete scenario has been some kind of coincidence, but the point is that we had deployed SSL inbound inspection for many web apps and we have disabled every deciption policy until we clarify the FW behaviour. I've tried the no-decrypt-policy-based workaround you have proposed. It seems to work properly but it is still a workaround. A member of the Paloalto support team has admitted that it is not the expected behavior. So, I hope they are going to study the case. Thanks for your help!
... View more
04-11-2018
12:23 AM
With Block-IP you can drop traffic for a defined period, between 1 and 3600 seconds. Take care when apply because legitimate sources could also be blocked.
... View more
04-10-2018
12:40 AM
Well. This is the profile. I only want to decrypt TLSv1.0. Other traffic is supposed to be allowed without being decrypted, or I may have misunderstood how inbound inspection works. When the issue happens, the client try to negotiate TLSv1.2 and something goes wrong. This is captured on the FW, at firewall stage: And this is captured from the clientside: After opening a case, a workaround has been supplied: "Enabling TLSv1.2 on the profile, it works properly". Anyway, that's not the point. Because traffic that can not be decrypted should be allowed as SSL, isn't it? If I don't want to decrypt nor block sessions based on TLSv1.1 or TLSv1.2, why are they being blocked?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-21-2020
04:00 AM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks