>
    Strata Copilot
    Troubleshoot Unsupported Cipher Suites
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Troubleshoot Decryption
    5. Troubleshoot Unsupported Cipher Suites
    Download PDF
    Network Security

    Troubleshoot Unsupported Cipher Suites

    Table of Contents

    Troubleshoot Unsupported Cipher Suites

    Identify and fix version errors or unsupported cipher suites so you can decide whether to allow the traffic by excluding it from decryption.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by PAN-OS or Panorama)
    Cipher errors are unsupported cipher errors where at least one of the following is true:
    • The client tries to negotiate a cipher that the NGFW supports but that the Decryption profile applied to the traffic doesn’t support.
    • The client tries to negotiate a cipher that the NGFW does not support.
    • (Rare) SSL Inbound Inspection is enabled and the server’s capabilities don’t match the Decryption profile settings.
    • The error message includes the supported client cipher bitmask value and the supported Decryption profile cipher bitmask value. You can use bitmask values to identify the cipher the client tried to use and the cipher values that the Decryption profile supports.
    Key Steps for Converting Bitmask Values and Turning Them Into Something Useful
    1. Filter the Decryption logs for cipher errors using a query.
    2. Plug the bitmask value into the appropriate CLI command to identify the cipher that caused the error.
    3. Use the cipher information to update the Decryption policy rule or Decryption profile if you want to allow access to the site in question.
    1. Identify cipher errors in the Decryption logs.
      1. Select Monitor Logs Decryption.
      2. Filter the Decryption logs using the query (err_index eq Cipher). The highlighted values are bitmask values. For example, let’s examine a cipher error with the Error message Unsupported cipher. Supported client cipher bitmask: 0x80000000. Support decrypt profile cipher bitmask 0x60f79980.
    2. Log in to the CLI to look up the bitmask values.
      admin@vm1>debug dataplane show ssl-decrypt bitmask-cipher 0x80000000
      CHACHA_PLY1305_SHA256
      This output shows that client tried to negotiate a cipher that the NGFW supports (if the bitmask is all zeros (0x0000000, then the client tried to negotiate a cipher that the NGFW doesn’t support):
      admin@vm1>debug dataplane show ssl-decrypt bitmask-cipher 0x80000000
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS13_WITH_AES_256_GCM_SHA384
TLS13_WITH_AES_128_GCM_SHA256
      This output shows that the Decryption profile that controls the traffic supports many ciphers, but does not support the cipher the client is trying to use.
      To fix this issue so that the NGFW allows and decrypts the traffic, you need to add support for the missing cipher to the Decryption profile.
    3. Identify the decryption policy rule and profile that controls the session traffic.
      1. Check the Policy Name for a decryption log entry (or click the magnifying glass
        to see the information in the General section of the Detailed Log View).
      2. Select the policy rule (ObjectsPoliciesDecryption), and open the rule. Then, on the Options tab, go to the Options and find the value under Decryption Profile.
      3. Select ObjectsDecryptionDecryption Profile, and select the appropriate Decryption profile.
      4. Update the Key Exchange Algorithms, Encryption Algorithms, and Authentication Algorithms fields as needed.
      5. Click OK to save the profile.
        Select the CHACHA20-POLY1305 encryption algorithm option (the Max Version setting of Max means that the profile already supports TLSv1.3 and the Authentication Algorithm setting already includes SHA256, so only the Encryption Algorithm support was missing).
        If the NGFW does not support a cipher suite and you need to allow the traffic for business purposes, create a decryption policy rule and profile that applies only to that traffic. In the Decryption profile, disable the Block sessions with unsupported cipher suites option.
    4. Commit the configuration.
      After you commit the configuration, the Decryption profile supports the missing cipher and the decryption sessions for the traffic succeed.

    © 2026 Palo Alto Networks, Inc. All rights reserved.