Decryption Profile

I was working on a task to inspect inbound traffic going to to my backend stack and I had just updated the PKI certificate. I noticed I kept getting a 502 error every time I activated the inspection rule which was frustrating because I had checked all the trust chains and confirmed that I was using the same PKI certificate through the firewall and on the hand off stack in the backend.

A friend asked me if I had looked at the decryption profile on the firewall and I was not sure why we needed to update it, but it turns out that the decryption profile needed a tweak. The previous decryption profile allowed traffic inspection for TLS version 1 minimum and a maximum of TLS version 2. This made sense because my current backend site is using TLS version 3 therefore I needed to update the maximum TLS version so that the firewall could facilitate that communication. This was a sneaky one but I am glad we figured it out