SSL Traffic matching an 'allow' security policy is dropped with action 'allow' and session end reason 'policy-deny'

SSL Traffic matching an 'allow' security policy is dropped with action 'allow' and session end reason 'policy-deny'

12633
Created On 05/31/23 15:04 PM - Last Modified 02/21/24 20:05 PM


Symptom


  • Unable to access a server via HTTPS even though the traffic is allowed in the security policy.
  • Traffic logs for that SSL traffic show type 'deny', action 'allow' and session end reason 'policy-deny'.
  • The following global counter is detected: 
    • ssl_partial_client_hello_incomplete - Number of ssl session with partial client hello missing critical info

Environment


  • Any Palo Alto Firewall
  • PAN-OS version 9.1.12 and later
  • PAN-OS version 10.0.9 and later
  • PAN-OS version 10.1.3 and later

Cause


A new fix that was introduced in the above PAN-OS versions for PAN-175652 changed the way firewalls handle fragmented TLS Client Hello packets. Before checking the decryption policy, by default firewalls deny sessions with truncated Client Hellos as they miss critical information for decryption, such as cipher suites or TLS versions. This includes sessions with traffic excluded from decryption.

Resolution


  1. Connect to the firewall CLI.
  2. Enter the following command to prevent the firewall from dropping truncated Client Hello packets: 
    debug proxy discard-partial-client-hello enable no

Additional Information


Not all truncated Client Hello packets are dropped. Firewalls apply matching decryption policy rules if the packet contains the Server Name Indication (SNI).
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kI0RCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail