Focus

Verify Decryption

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure Decryption Port Mirroring

Troubleshoot and Monitor Decryption

Verify Decryption

Use Traffic logs to verify that you decrypt traffic you want to decrypt and don’t decrypt sensitive traffic that you don’t want to decrypt.

After you configure a best practice decryption profile and apply it to traffic, you can check both the Decryption logs (introduced in PAN-OS 10.0) and the Traffic logs to verify that the firewall is decrypting the traffic that you intend to decrypt and that the firewall is not decrypting the traffic that you don’t want to decrypt. This topic shows you how to check decryption using Traffic logs. In addition, follow post-deployment decryption best practices to maintain the deployment.

View Decrypted Traffic Sessions—Filter the Traffic Logs (MonitorLogsTraffic) using the filter ( flags has proxy ).
This filter displays only logs in which the SSL proxy flag is on, meaning only decrypted traffic—every log entry has the value yes in the Decrypted column.

You can filter the traffic in a more granular fashion by adding more terms to the filter. For example, you can filter for decrypted traffic going only to the destination IP address 99.84.224.105 by adding the filter ( addr.dst in 99.84.224.105 ):
View SSL Traffic Sessions That Are Not Decrypted—Filter the Traffic Logs (MonitorLogsTraffic) using the filter ( not flags has proxy ) and ( app eq ssl ).
This filter displays only logs in which the SSL proxy flag is off (meaning only encrypted traffic) and the traffic is SSL traffic; every log entry has the value no in the Decrypted column and the value ssl in the Application column.

Similar to the example for viewing decrypted traffic logs, you can add terms to filter the traffic that you don’t decrypt in a more granular fashion.
View The Log for a Particular Session—To view the Traffic log for a particular session, filter on the Session ID.
For example, to see the log for a session with the ID 137020, filter using the term ( sessionid eq 137020). You can find the ID number in the Session ID column in the log output, as shown in the previous screens. If the Session ID column isn’t displayed, add the column to the output.
View All TLS and SSH Traffic—Filter the Traffic Logs (MonitorLogsTraffic) to view both decrypted and undecrypted TLS and SSH traffic, use the filter ( s_encrypted neq 0 ):
Drill Down Into the Details—To view more information about a particular log entry, click the magnifying glass to see a detailed log view. For example, for Session ID 137020 (shown in the previous bullet), the detailed log looks like this:

The box for the Decrypted flag provides a second way to verify if traffic was decrypted.
You can also take upstream and downstream packet captures of decrypted traffic to view how the firewall processes SSL traffic and takes actions on packets, or perform deep packet inspection.