Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Identify Root Cause for SSL Decryption Failure Issues - Knowledge Base - Palo Alto Networks

How to Identify Root Cause for SSL Decryption Failure Issues

165622
Created On 09/26/18 13:47 PM - Last Modified 12/02/22 19:12 PM


Symptom


  • How to identify decryption failures due to an unsupported cipher suite.
  • Check out the following compatibility matrix to confirm the currently Supported Cipher Suites

 



Environment


  • Palo Alto Firewall
  • PAN-OS 8.1, 9.1, 10.1,10.2
  • SSL Decryption


Cause


In this example, the SSL proxy decryption fails because the server only supports Diffie-Hellman (DH) and Elliptec Curve Ephemeral Diffie-Hellman (ECDHE).
Follow these steps to confirm the issue:
  1. Run a packet capture from the Palo Alto Networks device (see How to Run a Packet Capture). Examine Client Hello packets sent by the client and the response packets sent by the server. Look for "Handshake Failure," which is shown below.
    step-1.PNG
  2. View the Cipher Suites supported by the client or Palo Alto Networks device in the Client Hello packets.
    step-2.PNG
  3. Using the SSL scan tool https://www.ssllabs.com/ssltest/index.html, find out which cipher suites are supported by the server. See this example:
    Step-3.PNG

The output above confirms that the issue is due to unsupported cipher suites.



Resolution


Create a No Decrypt policy.

  1. Create a Custom URL Category for that site.
    1. Go to > Objects > URL Category.
    2. Click on the Add button.
    3. Name the Custom URL Category.
    4. Click the Add button and then add the server's site and commit.
      WA1.PNG
  2. Create a Decryption Policy with a No Decrypt action of that URL site.
    1. Go to Policies > Decryption.
    2. Select the Decryption Rule.
    3. Clone the Decryption Rule.
    4. Move the Clone Decryption Policy above the Decryption Policy.
    5. Click on the Clone Decryption Policy > URL Category.
    6. Click on the Add button.
    7. Add the URL site and commit.
      WA2.PNG


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language