Palo Alto Networks Proactive Alert (SSL Decrypt Issues after Upgrade to 7.0.2)

Posted:  26/10/2015

We've recently come across this issue where one of our customers upgraded their Palo Alto Firewall appliances to Pan-OS 7.0.2
and found that post 7.0.2 upgrade, many of the websites the end-users were going to were no longer accessible.

Investigation into the Appliance system logs showed us that the appliance was issuing an untrusted Cert for SSL Decryption - therefore the PAN used  a my-fwd-untrusted cert instead of a my-fwd-trust cert for SSL decryption and caused issues accessing those sites.

Teneo found that the customer was hitting bug ID 84046, which was fixed in PAN-OS 7.0.3.

From the release notes:

"Fixed an issue where SSL decryption failed when a certificate was rejected due to a missing or empty basicConstraints extension.
With this fix, an exception is added to allow a missing or empty basicConstraints extension for self-signed non-CA certificates."

Once the customer had upgraded the appliances to Pan-OS 7.0.3, this resolved the issue, customer re-enabled SSL Decryption and removed the ip exceptions and found that the correct my-fwd-trust cert was now being used in the successful decryption for several of the sites.

Keep up to date with the latest news

We will be keeping up to date with all the latest information and updates, so please get in touch with any questions or concerns at support@teneo.net

To keep up to date with what we know, follow us on Twitter