Palo Alto Networks Decryption Troubleshooting Guide

1. SSL Forward Proxy Decryption

SSL Forward Proxy decrypts outbound SSL/TLS traffic, allowing the firewall to inspect encrypted content. The firewall acts as an intermediary, establishing separate SSL sessions with the client and the server.

Common Issues:

Certificate errors due to untrusted or expired certificates.
Unsupported cipher suites or TLS versions.
Applications using certificate pinning, preventing decryption.

Troubleshooting Steps:

Check the Decryption Logs under Monitor > Logs > Decryption for error details.
Use the Application Command Center (ACC) to identify decryption failures and their reasons.
Verify that the firewall's Forward Trust Certificate is correctly installed and trusted by client devices.
Ensure that the Decryption Policy and Decryption Profile are properly configured.

For more information, refer to the SSL Forward Proxy Documentation .

2. SSL Inbound Inspection

SSL Inbound Inspection decrypts inbound SSL/TLS traffic destined for internal servers. The firewall requires the server's private key to decrypt the traffic.

Common Issues:

Performance degradation due to resource-intensive decryption processes.
Incorrect or missing server certificates and private keys on the firewall.
Sessions using unsupported features like client authentication or certificate pinning.

Troubleshooting Steps:

Ensure that the correct server certificate and private key are installed on the firewall.
Verify that the Decryption Policy includes rules for inbound traffic and is associated with the appropriate Decryption Profile .
Monitor system performance using CLI commands like show system resources and show running resource-monitor .

For detailed guidance, see the SSL Inbound Inspection Documentation .

3. SSH Proxy

SSH Proxy enables the firewall to decrypt and inspect SSH traffic, preventing unauthorized tunneling of applications and data.

Common Issues:

SSH sessions using public key authentication may fail when decryption is enabled.
SSH tunnels (e.g., port forwarding) may bypass security policies if not properly inspected.

Troubleshooting Steps:

Configure Security Policy Rules to allow legitimate SSH traffic and deny unauthorized SSH tunneling applications like ssh-tunnel .
Use the CLI command show session all filter application ssh to monitor active SSH sessions.
Review the Decryption Logs for SSH-related errors and session details.

Refer to the SSH Proxy Documentation for more information.

4. Resource Usage and Performance Monitoring

Decryption processes can be resource-intensive, potentially impacting firewall performance.

Monitoring Tools:

show system resources : Displays management plane resource usage.
show running resource-monitor : Provides data plane resource statistics.
show session info : Offers session-related information, including decryption statistics.

5. Monitoring Tools and Best Practices

Effective monitoring is crucial for maintaining optimal decryption performance and promptly identifying issues. Palo Alto Networks provides several tools and practices to assist in this endeavor.

Decryption Logs:

Access detailed logs under Monitor > Logs > Decryption to review session-specific information such as source/destination IPs, TLS versions, cipher suites, and error messages.
By default, unsuccessful TLS handshakes are logged. To log successful handshakes, enable this option in the decryption policy rule settings.
Utilize filters to isolate specific issues, such as sessions failing due to certificate errors or unsupported protocols.

Application Command Center (ACC):

Use the ACC's SSL Activity widgets to visualize decrypted versus undecrypted traffic, identify common failure reasons, and monitor trends over time.
Drill down into specific applications or destinations to assess the impact of decryption policies.

Resource Monitoring:

Execute the CLI command show running resource-monitor to assess real-time CPU and memory usage, focusing on processes related to decryption like func_ssl_proxy_proc .
Monitor the SSL certificate cache using show system setting ssl-decrypt memory to ensure it isn't nearing capacity, which could lead to decryption failures.

Best Practices:

Regularly update the firewall's software to benefit from the latest decryption features and fixes.
Maintain an updated SSL Decryption Exclusion list to bypass sites known to cause issues due to technical constraints like certificate pinning.
Balance security and performance by selectively decrypting traffic based on risk assessment, focusing on high-risk categories and critical applications.
Engage in periodic reviews of decryption policies and logs to adapt to evolving network patterns and threats.

For comprehensive guidance, refer to the Decryption Troubleshooting Documentation .

🔐 Palo Alto Networks Decryption Troubleshooting Guide

1. SSL Forward Proxy Decryption

2. SSL Inbound Inspection

3. SSH Proxy

4. Resource Usage and Performance Monitoring

5. Monitoring Tools and Best Practices