Network Security
Monitor Decryption
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Monitor Decryption
Monitor decryption activity to understand, evaluate, and improve or maintain your
decryption deployment
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
Decryption enhances visibility into your network and potential threats, serving as a
monitoring tool itself. Monitor decryption activity to understand what's happening on
your network, evaluate the effectiveness of your deployment against requirements and
goals, and address any weaknesses or issues. This practice is crucial during the
proof-of-concept phase and should continue as long as you decrypt. In fact, regular
monitoring is a post-deployment SSL decryption best practice.
You can't see what you don't decrypt, but you also can't decrypt effectively without
evaluating efficacy.
Monitoring and troubleshooting go hand-in-hand. Various tools and features enable you to monitor, analyze, and troubleshoot:
Not all monitoring tools are available on each management
interface. For information, refer to the
Platform Support for Monitoring Tools
table and the support
tables in Decryption Monitoring Tools.- Decryption logs provide comprehensive information about individual sessions that match decryption policy rules, including no-decrypt rules, and GlobalProtect sessions (if you enable decryption logging in GlobalProtect Portal or GlobalProtect Gateways configuration). You can log unsuccessful and successful TLS handshakes; unsuccessful handshakes are logged by default.
- Application Command Center (ACC) SSL Activity widgets provide details about successful and unsuccessful decryption activity in your network, including decryption failures, TLS versions, key exchanges, and the amount and type of decrypted and undecrypted traffic.
- Custom decryption reports are based on decryption logs, predefined templates, and other conditions that you can export to various formats.
- The Local SSL Decryption Exclusion Cache and Palo Alto Networks Predefined Decryption Exclusions includes websites and servers that break decryption for technical reasons such as certificate pinning. These websites and servers are automatically excluded from decryption. Content updates keep the list up-to-date.You can add servers to an SSL decryption exclusion list. However, you can't add websites to the local cache as the NGFW automatically adds these servers provided that the decryption profile applied to the traffic allows unsupported modes.
- Decryption mirroring creates a copy of decrypted traffic from an NGFW and sends it to a traffic collection tool such as NetWitness or Solera, which can receive raw packet captures for archiving and analysis.
You can use these tools to identify specific metrics, data patterns, and anomalies. Decryption Logs and Other Monitoring Tools
describes these tools in more detail. For example, you can:
- Identify traffic causing decryption failures by Service Name Identification (SNI) and application
- Identify traffic using weak protocols and algorithms
- Monitor successful and unsuccessful decryption activity in your network
- Track the number of blocked sessions
- Identify potential weakness in your decryption policy rules and profiles
The Troubleshooting Decryption chapter provides examples and
explanations of using these tools to identify, investigate, and resolve issues with your
decryption deployment. Focus is given to commonly encountered issues. Understanding how
and which tools to use for what issues help you investigate and address a wide range of
decryption issues.
The following table lists the monitoring tools available for the major management
interfaces.
| Platform | Monitoring Tool |
|---|---|
| Next-Generation Firewall (PAN-OS & Panorama) |
|
| Prisma Access and NGFW (Strata Cloud Manager) |
|