The existing session end reason feature is enhanced with new reasons so that the administrator can determine the reason for SSL session terminations during SSL decryption. SSL session end reason information will be visible and usable in traffic log queries through all available interfaces. The session end reason will also be exportable through all means available on the Palo Alto Networks firewall.
The new list of session end reasons, according to their precedence. New additions are in bold.
- threat
- policy-deny
- decrypt-cert-validation
- decrypt-unsupport-param
- decrypt-error
- tcp-rst-from-client
- tcp-rst-from-server
- resources-unavailable
- tcp-fin
- tcp-reuse
- decoder
- aged-out
- unknown
decrypt-cert-validation
a) Identify all the places for certification error handling.
Related error code:
- PAN_SSL_ERROR_INVALID_CERT (-3)
- PAN_SSL_ERROR_UNTRUSTED_ISSUER (-9)
- PAN_SSL_ERROR_EXPIRED_CERT (-10)
- PAN_SSL_ERROR_CLIENT_CERT (-11)
- PAN_SSL_ERROR_CERT_ON_HSM (-13)
b) Handle FATAL alerts about certification. (refer to RFC5246)
- bad_certificate
- unsupported_certificate
- certificate_revoked
- access_denied
- no_certificate_RESERVED (only for SSLv3)
c) SSH does not support certificate validation
decrypt-unsupported-param
a) Identify all the places for version/cipher check.
Related error code:
- PAN_SSL_ERROR_UNSUPPORTED (-2)
- PAN_SSL_ERROR_HANDSHAKE_FAILURE (-4)
- PAN_SSL_ERROR_UNSUPPORTED_VER (-7)
- PAN_SSL_ERROR_UNSUPPORTED_CIPHER (-12)
b) Handle FATAL alerts about unsupported version/cipher. (refer RFC5246)
- unsupported_extension
- unexpected_message (for unexpected record types)
- handshake_failure
c) Identify all unsupported version/ciphers for SSH
Related error code:
- PAN_SSH_ERROR_VERSION_FROM_CLIENT_UNSUPPORTED (-30)
- PAN_SSH_ERROR_VERSION_FROM_SERVER_UNSUPPORTED (-31)
- PAN_SSH_ERROR_KEX_ALGORITHM_FROM_CLIENT_UNSUPPORTED (-40)
- PAN_SSH_ERROR_KEX_ALGORITHM_FROM_SERVER_UNSUPPORTED (-41)
decrypt-error
a) All other places we didn’t cover above.
Related error code:
- PAN_SSL_ERROR_GENERAL (-1)
- PAN_SSL_ERROR_UNMATCHED_KEY (-5)
- PAN_SSL_ERROR_RESUME_SESSION (-6)
- PAN_SSL_ERROR_NO_RESOURCE (-8)
- PAN_SSL_ERROR_HSM_REQRESP (-14)
- PAN_SSL_ERROR_HSM_DOWN (-15)
- PAN_SSL_ERROR_HSM_OTHER (-16)
- PAN_SSL_HB_HEARTBLEED_DETECTED (-17)
- PAN_SSL_ERROR_KEY_EXCHANGE (-18)
b) All other FATAL alerts we didn’t cover above.
c) All other SSH errors,
Related error code:
- PAN_SSH_ERROR_EXPECT_MORE (-10)
- PAN_SSH_ERROR_MAC_INVALID (-20)
- PAN_SSH_ERROR_DECRYPTION_FAILURE (-21)
- PAN_SSH_ERROR_ENCRYPTION_FAILURE (-22)
- PAN_SSH_ERROR_VERSION_TOO_LONG (-32)
- PAN_SSH_ERROR_VERSION_MALFORMED (-33)
- PAN_SSH_ERROR_KEX_UNEXPECTED_MESSAGE (-42)
- PAN_SSH_ERROR_KEX_PACKET_TOO_LONG (-43)
- PAN_SSH_ERROR_KEX_METHOD_SPECIFIC (-44)
- PAN_SSH_ERROR_KEX_TOO_FREQUENT (-45)
- PAN_SSH_ERROR_BUFFER_FULL (-50)
- PAN_SSH_ERROR_BUFFER_READ_OUT (-51)
- PAN_SSH_ERROR_BUFFER_DEST_TOO_SHORT (-52)
- PAN_SSH_ERROR_BUFFER_BIGNUM_NEGATIVE (-53)
- PAN_SSH_ERROR_BUFFER_BIGNUM_TOO_SMALL (-54)
- PAN_SSH_ERROR_BUFFER_BIGNUM_TOO_BIG (-55)
- PAN_SSH_ERROR_BUFFER_BIGNUM_FAILURE (-56)
- PAN_SSH_ERROR_RESOURCE_UNAVAILABLE (-60)
- PAN_SSH_ERROR_INTERNAL (-70)