Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Traffic not being decrypted for SSL sessions using client certi... - Knowledge Base - Palo Alto Networks

Traffic not being decrypted for SSL sessions using client certificates.

19687
Created On 07/16/20 19:01 PM - Last Modified 10/27/20 03:03 AM


Symptom


URL example.host.com is not get decrypted by the firewall.
  • The firewall decryption profile and the certificates used for decryption appear to be correct.
  • We are expecting that traffic from the source zone to the destination zone should match the decryption rule but the traffic logs do not show that it was decrypted.
  • We also do not see that domain example.host.com added to the decryption exclusion list on GUI: Device > Certificate Management > SSL Decryption Exclusion
  • To troubleshoot further we look at the following on the firewall CLI:
show system setting ssl-decrypt exclude-cache

The exclude-cache includes the IPs for example.host.com (98.115.16.231, 65.210.90.11) retrieved from nslookup
 
VSYS SERVER APP TIMEOUT REASON DECRYPTED_APP PROFILE EXCLUSION_LIST_MATCH
1 65.210.90.11:443 ssl 9185 SSL_CLIENT_CERT undecided THD-Decryption-profile No
1 98.115.16.231:443 ssl 4002 SSL_CLIENT_CERT undecided THD-Decryption-profile No
  • After setting up the filters for the traffic on the firewall we can also look at the corresponding global counters:
show counter global | match proxy
proxy_exclude_by_cache 11009 0 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion cache

 


Environment


  • All PAN-OS
  • Palo Alto firewall.
  • SSL Decryption configured.


Cause


In the "show system setting ssl-decrypt exclude-cache" output, the "SSL_CLIENT_CERT" means that the site is doing certificate-based client authentication.

A client certificate can't be spoofed because you cannot generate a client certificate on the fly that matches the CA requested by the server, so the firewall adds it to the exclude cache.

The global counter proxy_exclude_by_cache is incrementing because the client sends a certificate verify message, which we do not support 



Resolution


Decryption is not possible if a client who is initiating an SSL connection is using client certificates.

Additional Information


Live community discussion: https://live.paloaltonetworks.com/t5/general-topics/ssl-decrypt-exclude-cache-ssl-client-cert/td-p/235152#
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UtLCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language