Hi, I have enabled SSL decryption (forward proxy) on our PA-3020 firewall. The certificate is generated from our CSR and is installed on our PA-3020. I have set up a separate forward trust and forward untrust certificate. The forward trust certificate has been distributed via windows group policy and resides in the 'intermediate' and 'trusted' cert authorities within windows. I can confirm that the SSL decryption appears to have been set up correctly as demonstrated in the screenshots provided. when accessing 'bbc.com' through the Microsoft EDGE browser I am getting a trusted cert from the PA-3020. When accessing 'badssl.com' in Microsoft EDGE i am getting the correct untrusted certificate from the PA-3020. However, when using Google chrome I am getting an error about weak encryption on the firewall. It states that I am using a weak encryption algorithm. When creating the cert on the PA-3020 I used an RSA algorithm (2048 bits) and a SHA256 digest. Can you advise why the PA-3020 certificate is not working on google chrome?
This could actually be due to Chrome supporting TLS 1.3 and the PAN-OS version you are running not knowing to get out of the way and not attempt to decrypt the traffic. This was either added for PAN-OS 8.0 in 8.0.14 or 8.0.16, I can't recall exactly which one. I would upgrade your firewall to 8.0.19 and see if the issue persists.
FYI, PAN-OS 8 goes EOL on Oct 31st, I would start planning your upgrade to 8.1.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!