PAN-OS 8.0 Decryption Issue with Firefox and Chrome

Showing results for 
Search instead for 
Did you mean: 

PAN-OS 8.0 Decryption Issue with Firefox and Chrome

L3 Networker

After uprading my lab to pan-os 8.0 The forward Decryption failed when using Firefox and Chrome.

IE 11 en Edge still works.


For example when i go to,


Chrome displays: uses an unsupported protocol.


Firefox:  Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP


In the PA logs:  Session end Reason = decrypt-error.


PA continues the tradition to break decryption on new major releases 😉

Does anyone else have same issue?


Try using different browser.

Had same issue here in LAB. FF returned an error while IE ran just fine. See screenshots.

I assume both browsers try to establish a different SSL connection.



Schermafbeelding 2017-03-08 om 13.44.14.pngSchermafbeelding 2017-03-08 om 13.42.52.png

Niets veranderen aan de PA een aan aantal uren laten draaien en opeens werkt het.

Na een reboot van de PA weer hetzelfde verhaal.

L3 Networker

PAN-OS 8.0.1 issue still exist.

L0 Member

I can confirm I installed 8.1 on 3 units, all of them had the same issue, No Chrome (google sites) working. Spent a few hours trying different rules and fixes, nothing worked. Then I read the post about waiting X hours, so I waited until the next morning and everything works again, great.  Hopefully it does not return after a reboot and the cycle starts again, X hours for things to work again.


L2 Linker



Any news on this? Have been seeing strange behaviour very similar to this with Android 7.1 / Google / PAN 8.0.1. 



David, we had the same issue after upgrading from 7.1.8 to 8.0.1 and after 24 hours it had resolved itself. Our TAC gave us a command that may help:


debug dataplane reset ssl-decrypt certificate-cache


I've asked them the question to whether this issue resurfaces after a reboot.


We also have issue with most of the Google apps including Play Store, the Wiki and Instagram app and decryption. I have a feeling most will have to bypass decryption at the OS level...

Thanks for this. 


Yes - have been chasing why Android phone (Nexus running Android 7.1.1)  when initially connected notifies me of no internet. Think this is now a connectivity check via SSL, if I place a decryption exception I can get past this hurdle so guessing something is pinned in Android. 


Also Google play no good, activity feed on Google Now/Assistant no good. Monitoring -> Logs -> Traffic I see session end as "Policy-Deny" on the decrypted traffic - category identified is search engines. 
Do not decrypt - search engines & content delivery networks and everything seems a great deal better. 


Ill keep at it. This is all on PAN 8.0.1 with SSL decryption enabled. 

++ update very interesting:-   looks like Android 7.1.1 has tightened up and possibly mitm no longer possible.



L1 Bithead


We have that problem on 8.0.1 but we do not use VM series but PA3020. DId you find workaround?

We also have a 3020, the only workaround we have at the moment is the command I posted earlier (untested) or wait 24 hours and it started working.


In terms of Google, et al and their apps not working with decryption, this is currently with our TAC (including the links above from David) and a remote session due this morning...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!