04-22-2024 02:34 PM - edited 04-22-2024 02:36 PM
We're having some strange SSL/TLS Inspection errors while on GlobalProtect. We are getting unsupported-parameter errors while a user is connected to GlobalProtect trying to get to any internet site, including things like google.com. Doing a packet capture on the firewall it shows the connection trying to happen on tls 1.0 which we do indeed not allow as part of the decryption profile. This only happens while on GlobalProtect, other users with the same security policies and decryption polices applied work as intended and are decrypted as intended.
This issue appears to have just started today, we updated PAN-OS to 10.2.9-h1 last week. This issue consistently happens on Chrome and Edge, but the issue seems to be almost non existent on Firefox. Which none of these browsers have tls 1.0 enabled. Even on the same computer, it works fine on-prem but has issues on GlobalProtect. Being its the weird combination of GlobalProtect users while using Chromium browsers, not sure which side is incorrectly acting on tls 1.0. I only see unsupported parameter or decryption error as the session end reason in the traffic logs, there are no errors in the decryption logs. Have tested on GP 6.0.7, 6.2.2, and 6.2.3, we are running PAN-OS 10.2.9-h1.
Unchecking the unsupported mode checks block fixes fixes the issue and gets us running for now.
Has anyone experienced something similar or a direction to look? We've also got a TAC case open.
