Network Security
Investigate Reasons for Decryption Failure
Table of Contents
Investigate Reasons for Decryption Failure
Identify decryption failures and why they happened and drill down into the exact
failure reasons so you can address issues.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
The most common reasons for decryption failures are TLS protocol errors,
cipher version errors (client and server version mismatches and client and
Decryption profile version mismatches), and certificate errors. To investigate decryption errors, start with the
Application Command Center (ACC) to identify failures and then go to the Decryption
logs to drill down into details.
For additional information about these errors and possible remediation, see Decryption Log Errors, Error Indexes, and
Bitmasks.
Investigate Decryption Failures (Strata Cloud Manager)
- Select and select Firewall/Decryption to drill down into the logs.Use the query Error Index = 'Certificate' to view all Decryption sessions that experienced certificate errors.The Error column shows the reason for the certificate error. To filter for all Decryption sessions that had the same error, click the error message to add it to the query and then execute the query. For example, to find all errors based on receiving a fatal alert from the client, clicking the error produces the query (Error Index = Certificate) AND (Error Message = ‘Received fatal alert CertificateUnknown from client’).To filter for the certificate errors that a specific host received, add that SNI to the query instead of adding error message text. For example, to find all certificate errors for expired.badssl.com, use the query (Error Index = 'Certificate') AND (Server Name Indication = ‘expired.badssl.com’).The Error column shows the specific reason for each certificate error associated with expired.badssl.com.Once you know the reason for the certificate issue that caused the decryption failure, you can address it. For example, if the certificate chain is incomplete, you can repair the incomplete certificate chain. If a certificate is expired, you can notify the site administrator or create a policy-based exception if you need to access the site.
Investigate Decryption Failures (PAN-OS)
- Begin your investigation at and look at the Decryption Failure Reasons widget.
In this example, we investigate certificate errors. You can use the same process to investigate version and protocol errors. - Click the green bar next to Certificate to see which hosts (SNIs) experienced certificate errors and see a list of hosts that experienced the largest number of certificate errors.
- Go to to drill down into the logs.Use the query (err_index eq Certificate) to filter the Decryption logs to view all Decryption sessions that experienced certificate errors.
The Error column shows the reason for the certificate error. To filter for all Decryption sessions that had the same error, click the error message to add it to the query and then execute the query. For example, to find all errors based on receiving a fatal alert from the client, clicking the error produces the query (err_index eq Certificate) and (error eq ‘Received fatal alert CertificateUnknown from client’):
To filter for the certificate errors that a specific host received, add that SNI to the query instead of adding error message text. For example, to find all certificate errors for expired.badssl.comm use the query (err_index eq Certificate) and (sni eq ‘expired.badssl.com’):
The Error column shows the specific reason for each certificate error associated with expired.badssl.com.Once you know the reason for the certificate issue that caused the decryption failure, you can address it. For example, if the certificate chain is incomplete, you can repair the certificate chain. If a certificate is expired, you can notify the site administrator or create a policy-based exception if you need to access the site.
