Monitor and analyze TLS traffic activity including failure
reasons, protocol usage, and key exchange activity.
The Application Command Center (ACC)
widgets for decryption (ACCSSL Activity) introduced in
PAN-OS 10.0 work with Decryption Log to help
you diagnose and resolve decryption issues quickly and easily. Use
the SSL Activity widget to view and analyze
network decryption activity such as the number of decrypted and
undecrypted sessions, how much traffic uses different TLS protocol
versions, the most common decryption failure reasons, and which
applications and Server Name Identifications (SNIs) use weak ciphers
and algorithms. Next, use the Decryption logs to drill down into
sessions and diagnose the exact issue so you can take appropriate action.
PAN-OS 10.0 introduced five new decryption widgets. Use the information
the widgets provide to identify misconfigured Decryption policies
and profiles and to make informed decisions about what traffic to
allow and what traffic to block:
Traffic Activity—Shows SSL/TLS activity compared to
non-SSL/TLS activity by total number of sessions or by amount of
traffic in bytes.
SSL/TLS Traffic—Shows the amount of decrypted and non-decrypted
traffic by number of sessions or amount of traffic in bytes. Reasons
for traffic not being decrypted include:
No Decryption
policy is applied to the traffic.
The Decryption policy intentionally exempted the traffic
from decryption (for example, a No Decryption policy).
The Decryption policy was misconfigured and the traffic was intended
to be decrypted but is not.
The site is in the SSL Decryption
Exclusion List (DeviceCertificate ManagementSSL Decryption
Exclusion), which contains sites Palo
Alto Networks has identified that break decryption for technical
reasons such as pinned certificates or client authentication. For
these sites, the firewall bypasses decryption.
The site is in the Local Decryption
Exclusion Cache, which contains sites that local users encounter
which prevent decryption for technical reasons.
The ACC only populates the next three widgets with data from
traffic that a Decryption policy controls. If you don’t apply a
Decryption policy to traffic, that traffic does not populate these
widgets.
Decryption Failure Reasons—Shows the reasons for
decryption failures: protocol, certificate, version, cipher, HSM,
resource, resume, or feature issues, by SNI. Use this information
to detect problems caused by Decryption policy or profile misconfiguration
or by traffic that uses unsupported weak protocols or algorithms.
Click a failure reason to drill down and isolate the number of sessions
per SNI that experienced the failure or click an SNI to see all
of the decryption failures for that SNI.
Successful TLS Version Activity—Shows successful TLS connections
by TLS version for applications or SNIs (SNIs are available for Forward
Proxy only) so you can evaluate how much risk you are taking on
by allowing weaker TLS protocol versions. Identifying applications
and SNIs that use weak protocols enables you to evaluate each one
and decide whether you need to allow access to it for business reasons.
If you don’t need the application for business purposes, you may
want to block the traffic instead of allowing it to reduce risk.
Click a TLS version to drill down and view the SNIs or applications which
used that TLS version. Click an application or an SNI to drill down
and see how many of those application or SNI sessions used each
TLS version.
Successful Key Exchange Activity—Shows successful key
exchange activity per algorithm for applications or SNIs (SNIs are
available for Forward Proxy only). Click a key exchange algorithm
to see the activity for just that algorithm or click an application
or SNI to view the key exchange algorithm activity for that application
or SNI.
The following example of drilling down into ACC data shows you
how to examine successful TLS version activity:
The Successful TLS Version Activity widget
shows that seventeen sessions used TLSv1.3 and seven sessions used TLSv1.2.
The SNI list shows the destination SNIs and the number of sessions per
SNI.
To see which SNIs used TLSv1.2, click the green bar labeled TLS1.2.
Now you can see the seven TLSv1.2 sessions were spread among
four servers.
Clicking Home returns to the home
screen. Now, clicking the www.espn.com SNI shows us which TLS versions
it used. We can see that two of the four sessions used TLSv1.3 and
two used TLSv1.2.
For any Decryption widget, click the Jump to Logs icon to jump
directly to the Decryption logs that correspond to the data in the
ACC:
In the preceding example, at any point in the investigation you
could jump to the Decryption logs for the data to drill down more.
For example, you could examine the logs for the individual sessions
that used TLSv1.2 to find out why they didn’t use TLSv1.3.
Decryption ACC widgets show the name of the decrypted application
based on the Palo Alto Networks App-ID. For populating the ACC,
the firewall can only identify applications that have a Palo Alto
Networks App-ID; the firewall cannot populate the ACC with custom
applications or applications that do not have an App-ID. Content updates update
App-IDs regularly. Other reasons that the application may be shown
as incomplete or unknown are:
The firewall dropped the session before it could identify
the application.
Decryption logs depend on Traffic logs to populate the Decryption
log application field. However, if the Traffic log is not completed
in 60 seconds or less, the Traffic log does not populate the application
in the Decryption log and the application displays as incomplete
or unknown.