Troubleshoot Pinned Certificates (PAN-OS)

1. Filter the Decryption log (MonitorLogsDecryption) to find pinned certificates using the query (error contains ‘UnknownCA’).

   The application generates a TLS error code (Alert) when it fails to verify the server’s certificate. Different applications may use different error codes to indicate a pinned certificate. The most common error indicators for pinned certificates are UnknownCA and BadCertificate. After running the (error contains ‘UnknownCA’) query, run the query (error contains ‘BadCertificate’) to catch more pinned certificate errors.

   You can use Wireshark or other packet analyzers to double-check the error. Look for the client breaking the connection immediately after the TLS handshake to confirm that it is a pinned certificate issue.
2. Decide what to do about pinned certificates.

   If you don’t need access for business purposes, you can let the NGFW continue to block access. If you need access, you can exclude the server from decryption by adding it to the SSL Decryption Exclusion List (DeviceCertificate ManagementSSL Decryption Exclusion.

   The NGFW bypasses decryption for sites on the SSL Decryption Exclusion List. The NGFW cannot inspect the traffic, but the traffic is allowed.