After uprading my lab to pan-os 8.0 The forward Decryption failed when using Firefox and Chrome.
IE 11 en Edge still works.
For example when i go to www.google.com,
Chrome displays: www.google.com uses an unsupported protocol.
Firefox: Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP
In the PA logs: Session end Reason = decrypt-error.
PA continues the tradition to break decryption on new major releases 😉
Does anyone else have same issue?
I can confirm I installed 8.1 on 3 units, all of them had the same issue, No Chrome (google sites) working. Spent a few hours trying different rules and fixes, nothing worked. Then I read the post about waiting X hours, so I waited until the next morning and everything works again, great. Hopefully it does not return after a reboot and the cycle starts again, X hours for things to work again.
David, we had the same issue after upgrading from 7.1.8 to 8.0.1 and after 24 hours it had resolved itself. Our TAC gave us a command that may help:
debug dataplane reset ssl-decrypt certificate-cache
I've asked them the question to whether this issue resurfaces after a reboot.
We also have issue with most of the Google apps including Play Store, the Wiki and Instagram app and decryption. I have a feeling most will have to bypass decryption at the OS level...
Thanks for this.
Yes - have been chasing why Android phone (Nexus running Android 7.1.1) when initially connected notifies me of no internet. Think this is now a connectivity check via SSL, if I place a decryption exception I can get past this hurdle so guessing something is pinned in Android.
Also Google play no good, activity feed on Google Now/Assistant no good. Monitoring -> Logs -> Traffic I see session end as "Policy-Deny" on the decrypted traffic - category identified is search engines.
Do not decrypt - search engines & content delivery networks and everything seems a great deal better.
Ill keep at it. This is all on PAN 8.0.1 with SSL decryption enabled.
++ update very interesting:- https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html looks like Android 7.1.1 has tightened up and possibly mitm no longer possible.
We also have a 3020, the only workaround we have at the moment is the command I posted earlier (untested) or wait 24 hours and it started working.
In terms of Google, et al and their apps not working with decryption, this is currently with our TAC (including the links above from David) and a remote session due this morning...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!