I'm monitoring for errors in SYSLOG.  I originally started doing this because I feel like it is easier to see what is happening then how it is presented in FAZ 5.4.x and to diagnose a reoccurring conserve mode issue.  I also filtered out INFO traffic so I would only see items of WARNING or higher.

config log syslogd setting      set status enable      set server "x.x.x.x"      set csv enable      set facility kernel end config log syslogd filter      set severity warning      set forward-traffic disable      set multicast-traffic disable      set sniffer-traffic disable      set voip disable      set filter "event-level(warning)" end

I had a problem whereas the proxyd worker process would hang (my guess is due to an IPS engine update because it didn't happen until 3 months after we had been using 5.4 without issue) and the TAC indicated the problem was I had DPI setup to "inspect all ports" instead of the traditional 443, 22, 465, etc.  So I disabled the "inspect all ports" option and set SSH specifically to 22 also.

This stopped the firewall from hanging.  But now I'm seeing a lot of the following errors:

date=2016-07-12,time=18:11:31,devname=xxx,devid=xxx,logid=0105048013,type=event,subtype=wad,level=error,vd=root,logdesc="SSL Cipher Suites not supported",session_id=41c6df,policyid=53,srcip=x.x.x.x,srcport=57993,dstip=216.33.91.132,dstport=443,action=close,msg="None of the offered CipherSuites are supported"

date=2016-07-12,time=18:07:51,devname=xxx,devid=xxx,logid=0105048038,type=event,subtype=wad,level=error,vd=root,logdesc="SSL Fatal Alert received",session_id=41b9ed,policyid=53,srcip=x.x.x.x,srcport=57181,dstip=216.58.216.170,dstport=443,action=receive,alert=2,desc="unknown ca",msg="SSL Alert received"

date=2016-07-12,time=18:04:21,devname=xxx,devid=xxx,logid=0105048038,type=event,subtype=wad,level=error,vd=root,logdesc="SSL Fatal Alert received",session_id=41ad2f,policyid=53,srcip=x.x.x.x,srcport=64024,dstip=216.58.193.68,dstport=443,action=receive,alert=2,desc="protocol version",msg="SSL Alert received"

All of our endpoints have the FG CA installed as a trusted CA.  People can still browse normally for the most point.  Only Chrome appears to detect this problem, thus exposing the user to it.  I'm not sure if this is due to Certificate Pinning or some other issue.

The cipher error has me wondering if my "strong crypto" settings are to blame.

config system global      set strong-crypto enable end

If anyone else is seeing this I'd be interested.  We do exempt some categories for privacy so perhaps that is why we don't see it more often, but it is happening every few minutes or so.

Chrome appears to be the only browser that will bark when this happens which makes sense based on how strict Google is making it when it comes to accepting certs.