Salesforce

Threat Prevention does not scan the TLS handshake when SSL Decryption is enabled

Printable View
« Go Back

Information

 
TitleThreat Prevention does not scan the TLS handshake when SSL Decryption is enabled
URL NameThreat-Prevention-does-not-scan-the-TLS-handshake-when-SSL-Decryption-is-enabled
SummaryWhen SSL Decryption is enabled, threat prevention (IPS) does not scan for patterns present in the TLS handshake messages.
Validation StatusValidated - External
Publication StatusPublished
Symptom
When SSL Decryption is enabled, URL Filtering and Threat Prevention does not scan TLS handshake messages.
Environment
  • Palo Alto Firewalls
  • SSL Decryption
Cause
The PAN-OS default Threat Prevention packet flow logic will skip (not scan) TLS handshakes when SSL Decryption is enabled.
Resolution
  1. TLS Handshake scanning is supported with PAN-OS 10.1.
  2. To enable the scan-handshake logic:
    1. Make sure you are running PAN-OS 10.1 or newer.
    2. GUI:  Device >  Setup > Session > Decryption Settings > SSL Decryption Settings > and enable the checkbox titled "Send handshake messages to CTD for inspection".
    3. Commit the changes.

CLI command:

> configure
# set deviceconfig setting ssl-decrypt scan-handshake yes
# commit
# exit

 

Additional Information
Legacy ID
Legacy Url
Auto Assistant Signature
Powered by