Panorama pushed configuration of template stack causing packet drops with SSL decryption policy

Panorama pushed configuration of template stack causing packet drops with SSL decryption policy

7922
Created On 03/31/20 22:37 PM - Last Modified 05/08/25 22:19 PM


Symptom


SSL decryption - no-decrypt setting causing packet drops with invalid certificate.

Environment


  • Panorama-VM
  • Palo Alto Firewall.
  • Device Deployment/Template-Stack
  • Supported PAN-OS versions


 

Cause


  • Template-Stack not inheriting the "Trust Root CA certificate" check option configured on the local template
  • During template config merge into the stack,  template information is overwritten with the stack info.

Resolution


  1. Configure all changes in the template and not the stack.
  2. Existing configuration if any override configuration in the stack can be removed using "delete template-stack <name> config shared ssl-decrypt" command.
Example:
test@xxxx(primary-active)# delete template-stack xxxxx config shared ssl-decrypt

Additional Information


  • Template with Trusted Root CA configured 
Template with Trusted Root CA configured
  • Template-Stack now showing root ca 
Template-Stack not showing Trusted Root CA
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPNwCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language