Back with PAN-OS 7.1 when it was working, do you know what version chrome was on? But as already mentionned by @BPry, when the firewall tries to but cannot decrypt the connection this leads to problems in most cases. In this situation of you I would expect that the first attempt fails and then the connection is placed in the exclude cache as you do not block "unsupported" protocol versions. But depending on the TLS Handshake the firewall may not be able to do that as it assumes the decryption works but it does not (TLS Handshake compatibility). When TLS1.2 should be used but the handshake is done in a way that it works also for servers with TLS1.0 (as it should according to the RFC) there might the location of this (possible) bug. So the firewall assumes it is doing everything correctly and from client perspective it looks like a protocol downgrade attack. I know a lot of speculation 😛 So I am interested what TAC says on this. Did you try to connect from a system/browser where you manually force everything to TLS1.2 only? And now to something (almost) completely different: if you decide to do inbound decryption, shouldn't it be the opposite way? Decrypt TLS1.1 and 1.2 and block TLS1.0 with the decryption profile? (I am sure you have your reasons, so I am asking only because of personal interest)
... View more