Troubleshoot and Monitor Decryption
Troubleshoot, investigate, and resolve TLS decryption
issues using visibility-enhancing diagnostic tools.
Troubleshooting tools provide enhanced visibility into
TLS traffic so you can monitor your decryption deployment. The tools
enable you to diagnose and resolve decryption issues quickly and
easily, tighten weaknesses in your decryption deployment, and fix
decryption issues to improve your security posture. For example,
you can:
Identify traffic that causes decryption failures by Service
Name Identification (SNI) and application.
Identify traffic that uses weak protocols and algorithms.
Examine successful and unsuccessful decryption activity in
the network.
View detailed information about individual sessions.
Profile decryption usage and patterns.
Monitor detailed decryption statistics and information about
adoption, failures, versions, algorithms, etc.
The following tools provide full visibility into
the TLS handshake and help you troubleshoot and monitor your decryption
deployment:
—The
five ACC widgets on this tab (introduced in PAN-OS 10.0) provide
details about successful and unsuccessful decryption activity in
your network, including decryption failures, TLS versions, key exchanges,
and the amount and type of decrypted and undecrypted traffic.
—The Decryption Log
(introduced in PAN-OS 10.0) provides comprehensive information about
individual sessions that match a
Decryption policy (use a
No Decryption policy for traffic you don’t decrypt) and about GlobalProtect sessions
when you enable Decryption logging in GlobalProtect Portal or GlobalProtect
Gateways configuration. Select which columns to display to view
information such as application, SNI, Decryption Policy Name, error
index, TLS version, key exchange version, encryption algorithm,
certificate key types, and many other characteristics. Filter the
information in columns to identify traffic that uses particular
TLS versions and algorithms, particular errors, or any other characteristics
you want to investigate. By default, Decryption policies log only unsuccessful
TLS handshakes. Depending on the available log storage, you can configure
Decryption policies to log successful TLS handshakes as well.
Local Decryption Exclusion Cache—There are
two constructs for sites that break decryption for technical reasons
such as client authentication or pinned certificates and therefore
need to be excluded from decryption: the
SSL Decryption
Exclusion List and the
Local Decryption
Exclusion Cache. The SSL Decryption Exclusion List contains
the sites that Palo Alto Networks has identified that break decryption
technically. Content updates keep the list up-to-date and you can
add sites to the list manually. The Local Decryption Exclusion Cache
automatically adds sites that local users encounter that break decryption
for technical reasons and excludes them from decryption, providing
that the Decryption profile applied to the traffic allows unsupported
modes (if unsupported modes are blocked, then the traffic is blocked
instead of added to the local cache).
Custom Report Templates for Decryption—You can create
custom reports () using four predefined templates
that summarize decryption activity (introduced in PAN-OS 10.0).
The general troubleshooting methodology is to use the new ACC
widgets to identify traffic that causes decryption issues and then
use the new Decryption Log and custom report templates to drill
down into details and gain context about that traffic, which enables
you to diagnose issues accurately and much more easily than in the
past. Understanding decryption issues and their causes enables you
to select the appropriate way to fix each issue, such as:
Modify Decryption policy rules (a policy rule defines
traffic that the rule affects, the action taken on that traffic,
log settings, and the Decryption profile applied to the traffic)
Modify Decryption profiles (acceptable protocols and algorithms
for the traffic that a Decryption policy rule defines, plus failure
checks, unsupported mode checks for items such as unsupported ciphers
and versions, certificate checks, etc.)
Add sites that break decryption for technical reasons to
the SSL Decryption Exclusion List
Evaluate security decisions about which sites your employees, customers,
and partners really need to access and which sites you can block when
sites use weak decryption protocols or algorithms
The goals should be to decrypt all the traffic you can decrypt
(a
decryption best practice)
so that you can inspect it and to properly handle traffic that you
don’t decrypt.
When you upgrade to PAN-OS 10.0, the device takes 1% of the log
space and allocates it to Decryption logs.
Step 3 in
Configure Decryption Logging shows you
how to modify the log space allocation to provide more space for
Decryption logs.
If you downgrade from PAN-OS 10.0 or later to PAN-OS 9.1 or earlier,
the features introduced in PAN-OS 10.0 (Decryption Log, SSL Activity
widgets in the ACC, custom report Decryption templates) are removed
from the UI. References to Decryption logs are also removed from
Log Forwarding profiles. In addition, the Local Decryption Exclusion
Cache is only viewable using the CLI in PAN-OS 9.1 and earlier (PAN-OS
10.0 added the local cache to the UI).
If you push configurations from Panorama on PAN-OS 10.0 or later
to devices that run PAN-OS 9.1 or earlier, Panorama removes the
features introduced in PAN-OS 10.0.