Orion introduces several enhancements to
decryption logs to improve troubleshooting
and the analysis of log entries.
First, decryption log fields now distinguish between the client-side
session (traffic between client and firewall) and server-side session (traffic
between firewall and server), reflecting that for SSL Forward Proxy and SSL Inbound
Inspection, a Next-Generation Firewall (NGFW) acts as proxy between the client and
server. These fields are prefixed with "client" or "server," respectively. Fields
that apply to the session as a whole, such as Session ID, are not prefixed
with these labels. The distinction helps you understand exactly what is happening at
each stage of the proxied connection, which in turn helps with targeting
troubleshooting efforts. For example, if a session fails, you might notice that the
values for the client and server side of the same field differs.
Second, new fields provide information about decryption status, reasons for
decryption exclusion, and certificate revocation status based on OCSP and CRL
checks. For example, Decryption Status records if a session was decrypted or
not and whether it was by failure or design. This information helps target your
focus and resources.
Finally, existing error messages have been simplified, and new error
messages have been added. These updates aim at helping you to prioritize the
decryption log errors to review and act
on.
All decryption log enhancements are enabled by default for all platforms
with decryption logging capabilities. The addition of new fields and error messages
won’t impact existing log filters and reports.
If you export decryption logs to CSV format, the client-side
fields and new fields follow the existing fields.
Changes to the error messages and the addition of new fields
increase the size of decryption log packets but don’t impact memory or
CPU usage.