SSL Forward Proxy on Palo Alto Networks firewalls decrypts outbound SSL/TLS traffic from clients to external servers. This allows inspection for threats, data loss prevention, and policy enforcement. It acts as a "man-in-the-middle," re-signing server certificates with a Forward Trust CA certificate trusted by clients.
Key Goal: Gain visibility into encrypted outbound traffic for security inspection.
A successful SSL Forward Proxy deployment involves these core steps:
Objects > Decryption Profile
to define SSL/TLS parameters, certificate checks, and actions for unsupported modes or failures.
Policies > Decryption
to specify what traffic to decrypt (Action: Decrypt, Type: SSL Forward Proxy), and attach the Decryption Profile.
A phased rollout is highly recommended, starting with a small group of clients and non-critical URL categories to identify and resolve potential issues before broader deployment.
Troubleshooting SSL Forward Proxy requires a systematic approach, leveraging firewall logs, CLI commands, and an understanding of the SSL/TLS handshake. The primary log source is
Monitor > Logs > Decryption
.
Figure 1: SSL Forward Proxy Troubleshooting Flowchart
show session all filter source
destination
destination-port 443
and inspect flags and decryption status.
Monitor > Logs > Decryption
):
This is your primary source.
Session Derypted
: Indicates successful decryption. If issues persist, it's likely post-decryption (Security policy, Threat, URL filtering).
Session Blocked
or errors like:
ssl-cert-server-issuer-untrusted
: Server's CA is not trusted by the firewall. FW presents Forward Untrust cert. This is expected if the server cert is genuinely bad. If server cert is good, check if the issuing CA is in the firewall's trust store (
Device > Certificate Management > Certificates
).
ssl-cert-status-expired
: Server's certificate is expired. FW presents Forward Untrust.
ssl-decrypt-unsupport-cipher
/
ssl-decrypt-unsupport-protocol
: Client/Server and Firewall could not negotiate common parameters. Check Decryption Profile settings.
ssl-server-hello-failed-handshake
: Generic handshake failure. Needs deeper investigation.
ssl-out-of-resources
: Firewall resource exhaustion.
ssl-decrypt-certvalidate-failed
: Certificate validation failed for other reasons.
Monitor > Logs > Traffic
):
Check
Session End Reason
. If traffic is decrypted and then blocked by a Security policy, it will show here.
Monitor > Logs > System
):
May show critical errors related to decryption processes (e.g.,
sslmgr
,
devsrvr
).
Device > Certificate Management > Certificates
) and that the Forward Trust is marked as a "CA".
show certificate
detail
to inspect certificate properties on the firewall.
ssl-decrypt-unsupport-cipher
or
ssl-decrypt-unsupport-protocol
. Connection fails.
Objects > Decryption Profile > SSL Protocol Settings
) for minimum/maximum TLS versions and allowed cipher suites.
Device > Certificate Management > SSL Decryption Exclusion
. This bypasses decryption based on the SNI in the Client Hello.
ssl-out-of-resources
, high CPU on firewall.
show system resources follow
(monitor CPU/memory).
show counter global filter aspect ssl
(look for error counters, resource drops).
show counter global filter delta yes aspect ssl
(to see changes in counters).
show dataplane pool statistics | match ssl
(check SSL-specific resource pools).
Beyond those mentioned above, here are more useful CLI commands:
Command | Description |
---|---|
show session info
|
General session information, can be filtered. |
show session all filter ssl-decrypt yes count yes
|
Count of currently decrypted sessions. |
show running decryption-policy
|
Displays configured decryption policies. |
show running decryption-profile
|
Displays configuration of a specific decryption profile. |
show system setting ssl-decrypt
|
Displays global SSL decryption settings and status. |
show system setting decryption status
|
Overall decryption status. |
show certificate all
|
Lists all certificates on the firewall. |
debug sslmgr view stats
|
View SSL manager statistics (use with caution). |
debug sslmgr view certcache [fqdn
|
View SSL certificate cache entries (use with caution). |
debug sslmgr view sesscache
|
View SSL session cache (use with caution). |
request system ssl-decrypt-certchain-check host
|
Checks the certificate chain for a given host from the firewall's perspective. |
less mp-log sslmgr.log
|
Management plane SSL manager logs. |
less dp-log pan_sslmgr_diag.log
|
Dataplane SSL manager diagnostic logs (may vary by PAN-OS). |
less mp-log devsrv.log
|
Device server logs, can contain cert/key related messages. |
Warning: Debug commands are resource-intensive and can severely impact firewall performance. Use them only during a maintenance window or under the guidance of Palo Alto Networks support. Always turn off debugs after use.
Monitor > Packet Capture
. Filter for relevant traffic.
debug dataplane packet-diag ...
commands as shown above. Capture at `receive` (ingress), `firewall` (post-policy), and `transmit` (egress) stages to see how the packet is transformed.
Exam Gotcha: Distinguish between issues caused by the firewall's decryption process (e.g., client doesn't trust Forward Trust CA) versus issues with the original server's certificate (e.g., server cert expired, triggering Forward Untrust).
Simplified SSL Forward Proxy Packet Flow. Client connects to Firewall, Firewall connects to Server. Firewall re-signs server certificate with Forward Trust CA.