>
    Strata Copilot
    Test Decryption (Strata Cloud Manager)
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Enable Decryption
    5. Test Decryption
    6. Test Decryption (Strata Cloud Manager)
    Download PDF
    Network Security

    Test Decryption (Strata Cloud Manager)

    Table of Contents

    Test Decryption (Strata Cloud Manager)

    • Filter the Traffic logs for decrypted traffic sessions.
      • Select Log ViewerFirewall/Traffic.
      • In the search field, enter the following query: ( Is Proxy = true).
      This filter displays only logs in which the SSL proxy flag is on, meaning only decrypted traffic—every log entry has the value true in the Decrypted column.
      You can filter the traffic more granularly by adding more terms to the query. For example, to filter for decrypted traffic going only to the destination IP address 99.84.224.105, add the query Destination Address = '99.84.224.105'.
    • Filter the Traffic logs for SSL traffic sessions that were not decrypted.
      • Select Log ViewerFirewall/Traffic.
      • In the search field, enter one of the following queries:
        • (Is Proxy != true) AND (Application = 'SSL')
        • (Is Decrypted = False) AND (Application = 'SSL')
      This filter displays only logs in which the SSL proxy flag is off (meaning only encrypted traffic) and the traffic is SSL traffic; every log entry has the value false in the Decrypted column and the value ssl in the Application column.
      Similar to the example for viewing decrypted Traffic logs, you can add terms to filter the traffic that you don’t decrypt in a more granular fashion.
    • Filter the Traffic logs for a particular session.
      • Select Log ViewerFirewall/Traffic.
      • Filter on the Session ID using the query Session ID = Session ID value. For example, to see the log for a session with the ID 137020, enter the query: Session ID = 137020). You can find the ID number in the Session ID column in the log output, as shown in the previous screens. If the Session ID column isn’t visible, add the column to the output.
    • Filter the Traffic logs for all TLS and SSH traffic.
      • Select Log ViewerFirewall/Traffic.
      • To view both decrypted and undecrypted TLS and SSH traffic, use the query: Is Encrypted != 0.
    • Drill down into the log details.
      To view more information about a particular log entry, click the log details icon (
      ). For example, for Session ID 137020 (shown in the previous bullet), the detailed log looks like this:
      The box for the Decrypted flag provides a second way to verify if traffic was decrypted.
      You can also take upstream and downstream packet captures of decrypted traffic to view how the NGFW processes SSL traffic and takes actions on packets, or perform deep packet inspection.

    © 2026 Palo Alto Networks, Inc. All rights reserved.