Investigate Decryption Failures (PAN-OS)

Table of Contents

Begin your investigation at ACCSSL Activity and look at the Decryption Failure Reasons widget.

In this example, we investigate certificate errors. You can use the same process to investigate version and protocol errors.
Click the green bar next to Certificate to see which hosts (SNIs) experienced certificate errors and see a list of hosts that experienced the largest number of certificate errors.
Go to MonitorLogsDecryption to drill down into the logs.

Use the query (err_index eq Certificate) to filter the Decryption logs to view all Decryption sessions that experienced certificate errors.

The Error column shows the reason for the certificate error. To filter for all Decryption sessions that had the same error, click the error message to add it to the query and then execute the query. For example, to find all errors based on receiving a fatal alert from the client, clicking the error produces the query (err_index eq Certificate) and (error eq ‘Received fatal alert CertificateUnknown from client’):

To filter for the certificate errors that a specific host received, add that SNI to the query instead of adding error message text. For example, to find all certificate errors for expired.badssl.comm use the query (err_index eq Certificate) and (sni eq ‘expired.badssl.com’):

The Error column shows the specific reason for each certificate error associated with expired.badssl.com.

Once you know the reason for the certificate issue that caused the decryption failure, you can address it. For example, if the certificate chain is incomplete, you can repair the certificate chain. If a certificate is expired, you can notify the site administrator or create a policy-based exception if you need to access the site.