No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
Decryption enhances visibility into your network and potential threats, serving as a
monitoring tool itself. Monitor decryption activity to understand what's happening on
your network, evaluate the effectiveness of your deployment against requirements and
goals, and address any weaknesses or issues. This practice is crucial during the
proof-of-concept phase and should continue as long as you decrypt. In fact, regular
monitoring is a post-deployment SSL decryption best practice.
You can't see what you don't decrypt, but you also can't decrypt effectively without
evaluating efficacy.
Monitoring and troubleshooting go hand-in-hand. Various tools and features enable you to monitor, analyze, and troubleshoot:
Decryption logs provide comprehensive
information about individual sessions that match decryption policy rules, including no-decrypt rules, and GlobalProtect
sessions (if you enable decryption logging in GlobalProtect Portal or
GlobalProtect Gateways configuration). You can log unsuccessful and successful
TLS handshakes; unsuccessful handshakes are logged by default.
Application Command Center (ACC) SSL Activity
widgets provide details about successful and unsuccessful decryption
activity in your network, including decryption failures, TLS versions, key
exchanges, and the amount and type of decrypted and undecrypted traffic.
Custom decryption reports are based
on decryption logs, predefined templates, and other conditions that you can export
to various formats.
You can add servers to an SSL decryption
exclusion list. However, you can't add websites to the local cache as
the NGFW automatically adds these servers provided that the
decryption profile applied to the traffic allows unsupported
modes.
Decryption mirroring creates a copy of
decrypted traffic from an NGFW and sends it to a traffic
collection tool such as NetWitness or Solera, which can receive raw packet
captures for archiving and analysis.
You can use these tools to identify specific metrics, data patterns, and anomalies. Decryption Logs and Other Monitoring Tools
describes these tools in more detail. For example, you can:
Identify traffic causing decryption failures by Service Name Identification (SNI)
and application
Identify traffic using weak protocols and algorithms
Monitor successful and unsuccessful decryption activity in your network
Track the number of blocked sessions
Identify potential weakness in your decryption policy rules and profiles
The Troubleshooting Decryption chapter provides examples and
explanations of using these tools to identify, investigate, and resolve issues with your
decryption deployment. Focus is given to commonly encountered issues. Understanding how
and which tools to use for what issues help you investigate and address a wide range of
decryption issues.
The following table lists the monitoring tools available for the major management
interfaces.
