We've been using SSL decryption inbound for a while. In order to decrypt traffic based on DHE and ECDHE ciphers, we moved to PAN-OS 8.0. On 7.1.10, traffic with those ciphers were not decrypted but passed through. Now, on 8.0.6, we see drops. The decryption profile sets TLSv1.0 only as protocol, but we allow other protocol versions and ciphers (block unchecked for unsupported versions and chiper suites). When the decryption policy is enabled, requests from Firefox v.59 (Windows, Linux and Android) get an SSL_ERROR_ILLEGAL_PARAMETER_ERROR. I couldn't find info from Paloalto describing those errors. They say when decryption is not supported, session is not decrypted and passed through the firewall, as metioned here: https://live.paloaltonetworks.com/t5/PSIRT-Articles/Safely-inspecting-SSL-transactions/ta-p/148517 https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Cipher-suite-enforcement-in-decryption-rules/ta-p/74291 Briefing, decryption policy enabled: we get errors. Decryption policy disabled: everything works fine. Am I confused or this is the expected behaviour?
... View more