User's connection is not decrypted as configured due to TLS1.3 Kyber Support on browser

• SSL Decryption is properly configured.
• Some users connection are not always decrypted as per the configuration.
• Some users with "no-decrypt" option set is still decrypted.

• Palo Alto Firewalls
• Supported PAN-OS
• Prisma Access
• Modern browser (like Chrome Browser 124 and Higher)

• This issue is caused by the TLS 1.3 hybridized Kyber support on the modern browsers - Reference link .
• So the SSL client hello packet becomes too large and fragmented. When the fragmented client hello packets are received by the firewall, the SSL decryption isn't working correctly as to the single-packet Client hello.

1. The issue is addressed under PAN-247099  in PAN-OS 10.2.11, 11.0.7, 11.2.2 and higher versions.
2. It will also be fixed in the upcoming 11.0.7 version.
3. The issue is also fixed in some of the hotfix versions of different PAN-OS. (Refer list below.

11.2.2, 11.2.3, 10.2.11, 11.1.5, 11.0.7, 12.1.0, 10.2.7-h11, 11.1.3-h2, 10.2.9-h9, 10.2.10-h2, 11.1.2-h9, 10.2.8-h10, 10.2.4-h25, 11.1.4-h4 

Workaround:  

1. Open a new browser tab.
2. Copy and paste the following to the Edge or Chrome tab.

edge://flags/#enable-tls13-kyber

chrome://flags/#enable-tls13-kyber

3. Set the option to Disabled.
4. Restart the browser and test the connection and see if it's decrypted/non-decrypted correctly.