Troubleshoot and Monitor Decryption
Troubleshoot, investigate, and resolve TLS decryption
issues using visibility-enhancing diagnostic tools.
Troubleshooting tools provide enhanced visibility into
TLS traffic so you can monitor your decryption deployment. The tools
enable you to diagnose and resolve decryption issues quickly and
easily, tighten weaknesses in your decryption deployment, and fix
decryption issues to improve your security posture. For example,
you can:
Identify traffic that causes decryption failures by Service
Name Identification (SNI) and application.
Identify traffic that uses weak protocols and algorithms.
Examine successful and unsuccessful decryption activity in
the network.
View detailed information about individual sessions.
Profile decryption usage and patterns.
Monitor detailed decryption statistics and information about
adoption, failures, versions, algorithms, etc.
The following tools provide full visibility into
the TLS handshake and help you troubleshoot and monitor your decryption
deployment:
—The five ACC widgets on this
tab (introduced in PAN-OS 10.0) provide details about successful
and unsuccessful decryption activity in your network, including
decryption failures, TLS versions, key exchanges, and the amount
and type of decrypted and undecrypted traffic.
—The Decryption Log (introduced
in PAN-OS 10.0) provides comprehensive information about individual
sessions that match a
Decryption policy,
use a No Decryption policy for traffic you don’t decrypt, and GlobalProtect
sessions when you enable Decryption logging in GlobalProtect Portal
or GlobalProtect Gateways configuration. Select which columns to
display to view information such as application, SNI, Decryption
Policy Name, error index, TLS version, key exchange version, encryption
algorithm, certificate key types, and many other characteristics.
Filter the information in columns to identify traffic that uses
particular TLS versions and algorithms, particular errors, or any
other characteristics you want to investigate. By default, Decryption
policies log only unsuccessful TLS handshakes. If you have the available
log storage, configure Decryption policies to log successful TLS
handshakes as well to gain visibility into those decrypted sessions.
Local Decryption Exclusion Cache—There
are two constructs for sites that break decryption for technical
reasons such as client authentication or pinned certificates and
therefore need to be excluded from decryption: the
SSL Decryption
Exclusion List and the
Local Decryption
Exclusion Cache. The SSL Decryption Exclusion List contains
the servers that Palo Alto Networks has identified that break decryption
technically. Content updates keep the list up-to-date and you can
add servers to the list manually. The Local Decryption Exclusion
Cache automatically adds servers that local users encounter that
break decryption for technical reasons and excludes them from decryption,
providing that the Decryption profile applied to the traffic allows
unsupported modes (if unsupported modes are blocked, then the traffic
is blocked instead of added to the local cache).
Custom Report Templates for Decryption—You can create
custom reports () using four predefined
templates that summarize decryption activity (introduced in PAN-OS
10.0).
The general troubleshooting methodology is to start with the
ACC widgets to identify traffic that causes decryption issues. Next,
use the Decryption Log and custom report templates to drill down
into details and gain context about that traffic. This enables you
to diagnose issues accurately and much more easily than in the past.
Understanding decryption issues and their causes enables you to
select the appropriate way to fix each issue, such as:
Modify Decryption policy rules (a policy rule defines
the traffic that the rule affects, the action taken on that traffic,
log settings, and the Decryption profile applied to the traffic).
Modify Decryption profiles (acceptable protocols and algorithms
for the traffic that a Decryption policy rule controls, plus failure
checks, unsupported mode checks for items such as unsupported ciphers
and versions, certificate checks, etc.).
Add sites that break decryption for technical reasons to
the SSL Decryption Exclusion List.
Evaluate security decisions about which sites your employees,
customers, and partners really need to access and which sites you
can block when sites use weak decryption protocols or algorithms.
The goals is to decrypt all the traffic you can decrypt (a
decryption best practice)
so that you can inspect it and to properly handle traffic that you
don’t decrypt.
In PAN-OS 10.0 or later, the device takes 1% of the log space
and allocates it to Decryption logs.
Step 3 in
Configure Decryption Logging shows you
how to modify the log space allocation to provide more space for
Decryption logs.
If you downgrade from PAN-OS 10.0 or later to PAN-OS 9.1 or earlier,
the features introduced in PAN-OS 10.0 (Decryption Log, SSL Activity
widgets in the ACC, custom report Decryption templates) are removed
from the UI. References to Decryption logs are also removed from
Log Forwarding profiles. In addition, the Local Decryption Exclusion
Cache is only viewable using the CLI in PAN-OS 9.1 and earlier (PAN-OS
10.0 added the local cache to the UI).
If you push configurations from Panorama on PAN-OS 10.0 or later
to devices that run PAN-OS 9.1 or earlier, Panorama removes the
features introduced in PAN-OS 10.0.