The earliest recollection of this bug is traced back to PAN-OS 8.1.1 - January 09, 2024. This bug is fixed in PAN-OS versions 8.1.1. Fixed an issue where the firewall didn't Block sessions with unsupported cipher suites based on Decryption policy rules for SSL Inbound Inspection when the rules referenced a Decryption Profile with a list of allowed ciphers that didn't match the ciphers that the destination server specified ( Objects Decryption Decryption Profile ). With this fix, the firewall checks the ciphers of both the source client and destination server against the cipher list in Decryption profiles when evaluating whether to allow sessions based on Decryption policy. For more information: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-release-notes/pan-os-8-1-addressed-issues/pan-os-8-1-1-addressed-issues