Palo Alto Networks Knowledgebase: Decrypt Errors on SSL Inbound Inspection After Upgrading to PAN-OS 8.0

Decrypt Errors on SSL Inbound Inspection After Upgrading to PAN-OS 8.0

18054
Created On 04/19/19 10:50 AM - Last Updated 04/19/19 15:31 PM
Decryption 8.1 8.0 7.1 9.0 PAN-OS
Symptom
SSL inbound policies worked when configured on PAN-OS 7.1, but after upgrading to 8.0, some of the sessions fail, and the logs show decrypt errors. Below is an example of a failed session:
admin@firewall> show session id 318075

Session          318075

        c2s flow:
                source:      200.0.0.1 [Untrust]
                dst:         100.0.0.1
                proto:       6
                sport:       56272           dport:      25
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      192.168.1.100 [Trust]
                dst:         200.0.0.1
                proto:       6
                sport:       25              dport:      56272
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Wed Apr 17 14:04:30 2019
        timeout                              : 15 sec
        total byte count(c2s)                : 3975
        total byte count(s2c)                : 5583
        layer7 packet count(c2s)             : 13
        layer7 packet count(s2c)             : 16
        vsys                                 : vsys1
        application                          : smtp  
        rule                                 : Inbound-SMTP
        session to be logged at end          : True
        session in session ager              : False
        session updated by HA peer           : False
        address/port translation             : destination
        nat-rule                             : smtp(vsys1)
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : business-and-economy
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ae1
        egress interface                     : ae2
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : proxy decrypt failure
        tracker stage l7proc                 : ctd proc changed
        end-reason                           : policy-deny

 


Environment
PAN-OS 8.0 and above. SSL inbound inspection configured.

Cause
Prior to PAN-OS 8.0, inbound inspection was completely passive. Since the firewall has the certificate and the private key, the firewall can decrypt on the fly without a need to proxy. Starting on PAN-OS 8.0, Diffie-Hellman exchange (DHE) or Elliptic Curve Diffie-Hellman exchange (ECDHE) are supported.

Since these two protocols use Perfect Forward Secrecy (PFS),  the firewall acts as a man-in-the-middle proxy between the external client and the internal server. Because PFS generates a new key with every session, the firewall can’t simply copy and decrypt the inbound SSL flow as it passes through, the firewall must act as a proxy device.

The firewall is now acting as a proxy, and if the firewall is unable to complete the SSL handshake, the session is terminated due to decrypt-errors. Common reasons for decrypt failures are:
– Unsupported ciphers suites
– Unsupported EC curves
– Server using certificate chains 
– Server sending client certificate verify
– Server configured with client certificate authentication
– Client sending SSL alert due to unknown certificate or bad certificate
 


Resolution

The server has to be configured to match the decryption profile that is configured on the firewall. The server has to adhere to protocols supported by the firewall for inbound inspection to work effectively.

The articles below will provide a list of supported ciphers:
Cipher Suites Supported in PAN-OS 8.0
Cipher Suites Supported in PAN-OS 9.0

In case of certificate chains used on the server, since the firewall removes the inter and root CA, the certificates have to be manually chained. For information on this, please refer to this article: How to Install a Chained Certificate Signed by a Public CA.

The server has to be configured not to send client verify or request for client certificate authentication as this is currently not supported. In case of clients sending SSL alerts, you will need to look at the packet captures and check the reason for the alerts and rectify accordingly.



Additional Information
For additional information on SSL inbound inspection, please review this article: SSL Inbound Inspection.

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5iCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language