High System Log Messages: fips-cipher "Cipher decrypt-final failure"

757

Created On 03/14/23 23:04 PM - Last Modified 11/03/25 18:55 PM

FIPS

Certificate Management

Certification

Decryption

Policy

9.1

9.2

10.0

10.2

10.1

11.0

PAN-OS

Panorama

Network Security

Next-Generation Firewall

Symptom

SSL Protocol Setting is configured with Cipher Suites that are not supported in FIPS based on the PAN-OS versions.
The certificate is generated/imported with incompatible parameters.

Enable Cipher Suites that are supported in FIPS-CC Mode and disable the Cipher Suites that are not supported in FIPS PAN-OS versions.
- Refer to the document below:
- Cipher Suites Supported in FIPS-CC Mode: https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-supported-in-pan-os-10-2/cipher-suites-supported-in-pan-os-10-2-fips-cc#id69d4d635-27a5-489e-bb69-2cfc45137a65

Remove algorithms and encryptions that are not supported from the profile by unchecking the box.
Under Objects > Decryption Profile > SSL Decryption > SSL Protocol Setting.
- > Key Exchange Algorithms:
  - Check RSA
  - Uncheck the DHE.
- > Encryption Algorithms:
  - Check the 4 AES types only.
  - Uncheck CHACHA20-POLY1305.
- Authentication Algorithms >
  - Uncheck the MD5 Algorithm.

That should fix the issue but if that doesn't change the behavior then confirm that the certificate is generated with the compatible parameters:
- The algorithm is RSA, the number of bits is 2048 and Digest is sha256.
- ECDSA key pair generation (NIST curves P-256, P-384)
- Confirm all the compatible parameters from the document.
If the certificate is compatible with the correct parameters then delete the CSR certificate that was requested in non-fips mode and generate a new CSR in fips-cc mode which was signed by the customer's PKI.
If the certificate is not compatible then delete the certificate and regenerate then first from the same PKI and then generate it from the firewall or from the customer's PKI. Verified that the CSR certificate was generated with compatible parameters.