Threat Prevention does not scan the TLS handshake when SSL Decryption is enabled

Threat Prevention does not scan the TLS handshake when SSL Decryption is enabled

1624
Created On 02/04/22 20:02 PM - Last Modified 11/02/24 01:44 AM


Symptom


When SSL Decryption is enabled, URL Filtering and Threat Prevention does not scan TLS handshake messages.

Environment


  • Palo Alto Firewalls
  • SSL Decryption

Cause


The PAN-OS default Threat Prevention packet flow logic will skip (not scan) TLS handshakes when SSL Decryption is enabled.

Resolution


  1. TLS Handshake scanning is supported with PAN-OS 10.1.
  2. To enable the scan-handshake logic:
    1. Make sure you are running PAN-OS 10.1 or newer.
    2. GUI:  Device >  Setup > Session > Decryption Settings > SSL Decryption Settings > and enable the checkbox titled "Send handshake messages to CTD for inspection".
    3. Commit the changes.

CLI command:

> configure
# set deviceconfig setting ssl-decrypt scan-handshake yes
# commit
# exit

 

Additional Information


Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic
Advanced URL Filtering: Inspect SSL/TLS Handshakes
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oN8ICAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail