Monitor and analyze TLS traffic activity including failure
reasons, protocol usage, and key exchange activity.
The Application Command Center (ACC)
widgets for decryption (ACCSSL Activity) introduced in
PAN-OS 11.0 work with Decryption Log to help
you diagnose and resolve decryption issues quickly and easily. Use
the SSL Activity widget to view and analyze
network decryption activity such as the number of decrypted and undecrypted
sessions, how much traffic uses different TLS protocol versions,
the most common decryption failure reasons, and which applications
and Server Name Identifications (SNIs) use weak ciphers and algorithms.
Next, use the Decryption logs to drill down into sessions and diagnose
the exact issue so you can take appropriate action.
PAN-OS 11.0 introduced five new decryption widgets. Use the information
the widgets provide to identify misconfigured Decryption policies
and profiles and to make informed decisions about what traffic to
allow and what traffic to block:
Traffic Activity—Shows SSL/TLS activity compared
to non-SSL/TLS activity by total number of sessions or by amount
of traffic in bytes.
SSL/TLS Traffic—Shows the amount of decrypted and
non-decrypted traffic by number of sessions or amount of traffic
in bytes. Reasons for traffic not being decrypted include:
No
Decryption policy is applied to the traffic.
The Decryption policy intentionally exempted the traffic
from decryption (for example, a No Decryption policy).
The Decryption policy was misconfigured and the traffic was
intended to be decrypted but is not.
The site is in the SSL Decryption
Exclusion List (DeviceCertificate ManagementSSL Decryption
Exclusion), which contains sites Palo
Alto Networks has identified that break decryption for technical
reasons such as pinned certificates or client authentication. For
these sites, the firewall bypasses decryption.
The site is in the Local Decryption
Exclusion Cache, which contains sites that local users encounter
which prevent decryption for technical reasons.
The ACC only populates the next three widgets with data from
traffic that a Decryption policy controls. If you don’t apply a
Decryption policy to traffic, that traffic does not populate these
widgets.
Decryption Failure Reasons—Shows the reasons for
decryption failures: protocol, certificate, version, cipher, HSM,
resource, resume, or feature issues, by SNI. Use this information
to detect problems caused by Decryption policy or profile misconfiguration
or by traffic that uses unsupported weak protocols or algorithms.
Click a failure reason to drill down and isolate the number of sessions
per SNI that experienced the failure or click an SNI to see all
of the decryption failures for that SNI.
Successful TLS Version Activity—Shows successful TLS
connections by TLS version for applications or SNIs (SNIs are available for
Forward Proxy only) so you can evaluate how much risk you are taking
on by allowing weaker TLS protocol versions. Identifying applications
and SNIs that use weak protocols enables you to evaluate each one
and decide whether you need to allow access to it for business reasons.
If you don’t need the application for business purposes, you may
want to block the traffic instead of allowing it to reduce risk.
Click a TLS version to drill down and view the SNIs or applications
which used that TLS version. Click an application or an SNI to drill
down and see how many of those application or SNI sessions used each
TLS version.
Successful Key Exchange Activity—Shows successful
key exchange activity per algorithm for applications or SNIs (SNIs
are available for Forward Proxy only). Click a key exchange algorithm
to see the activity for just that algorithm or click an application
or SNI to view the key exchange algorithm activity for that application
or SNI.
The following example of drilling down into ACC data shows you
how to examine successful TLS version activity:
The Successful TLS Version Activity widget
shows that seventeen sessions used TLSv1.3 and seven sessions used TLSv1.2.
The SNI list shows the destination SNIs and the number of sessions
per SNI.
To see which SNIs used TLSv1.2, click the green bar labeled
TLS1.2.
Now you can see the seven TLSv1.2 sessions were spread among
four servers.
Clicking Home returns to the home
screen. Now, clicking the www.espn.com SNI shows us which TLS versions
it used. We can see that two of the four sessions used TLSv1.3 and
two used TLSv1.2.
For any Decryption widget, click the Jump to Logs icon to jump
directly to the Decryption logs that correspond to the data in the
ACC:
In the preceding example, at any point in the investigation you
could jump to the Decryption logs for the data to drill down more.
For example, you could examine the logs for the individual sessions
that used TLSv1.2 to find out why they didn’t use TLSv1.3.
Decryption ACC widgets show the name of the decrypted application
based on the Palo Alto Networks App-ID. For populating the ACC,
the firewall can only identify applications that have a Palo Alto
Networks App-ID; the firewall cannot populate the ACC with custom
applications or applications that do not have an App-ID. Content updates update
App-IDs regularly. Other reasons that the application may be shown
as incomplete or unknown are:
The firewall dropped the session before it could identify
the application.
Decryption logs depend on Traffic logs to populate the Decryption
log application field. However, if the Traffic log is not completed
in 60 seconds or less, the Traffic log does not populate the application
in the Decryption log and the application displays as incomplete
or unknown.