Decryption Application Command Center Widgets

Monitor and analyze TLS traffic activity including failure reasons, protocol usage, and key exchange activity.
The Application Command Center (ACC) widgets for decryption (
ACC
SSL Activity
) introduced in PAN-OS 10.0 work with Decryption Log to help you diagnose and resolve decryption issues quickly and easily. Use the
SSL Activity
widget to view and analyze network decryption activity such as the number of decrypted and undecrypted sessions, how much traffic uses different TLS protocol versions, the most common decryption failure reasons, and which applications and Server Name Identifications (SNIs) use weak ciphers and algorithms. Next, use the Decryption logs to drill down into sessions and diagnose the exact issue so you can take appropriate action.
PAN-OS 10.0 introduced five new decryption widgets. Use the information the widgets provide to identify misconfigured Decryption policies and profiles and to make informed decisions about what traffic to allow and what traffic to block:
  • Traffic Activity
    —Shows SSL/TLS activity compared to non-SSL/TLS activity by total number of sessions or by amount of traffic in bytes.
  • SSL/TLS Traffic
    —Shows the amount of decrypted and non-decrypted traffic by number of sessions or amount of traffic in bytes. Reasons for traffic not being decrypted include:
    • No Decryption policy is applied to the traffic.
    • The Decryption policy intentionally exempted the traffic from decryption (for example, a No Decryption policy).
    • The Decryption policy was misconfigured and the traffic was intended to be decrypted but is not.
    • The site is in the SSL Decryption Exclusion List (
      Device
      Certificate Management
      SSL Decryption Exclusion
      ), which contains sites Palo Alto Networks has identified that break decryption for technical reasons such as pinned certificates or client authentication. For these sites, the firewall bypasses decryption.
    • The site is in the Local Decryption Exclusion Cache, which contains sites that local users encounter which prevent decryption for technical reasons.
The ACC only populates the next three widgets with data from traffic that a Decryption policy controls. If you don’t apply a Decryption policy to traffic, that traffic does not populate these widgets.
  • Decryption Failure Reasons
    —Shows the reasons for decryption failures: protocol, certificate, version, cipher, HSM, resource, resume, or feature issues, by SNI. Use this information to detect problems caused by Decryption policy or profile misconfiguration or by traffic that uses unsupported weak protocols or algorithms. Click a failure reason to drill down and isolate the number of sessions per SNI that experienced the failure or click an SNI to see all of the decryption failures for that SNI.
  • Successful TLS Version Activity
    —Shows successful TLS connections by TLS version for applications or SNIs (SNIs are available for Forward Proxy only) so you can evaluate how much risk you are taking on by allowing weaker TLS protocol versions. Identifying applications and SNIs that use weak protocols enables you to evaluate each one and decide whether you need to allow access to it for business reasons. If you don’t need the application for business purposes, you may want to block the traffic instead of allowing it to reduce risk. Click a TLS version to drill down and view the SNIs or applications which used that TLS version. Click an application or an SNI to drill down and see how many of those application or SNI sessions used each TLS version.
  • Successful Key Exchange Activity
    —Shows successful key exchange activity per algorithm for applications or SNIs (SNIs are available for Forward Proxy only). Click a key exchange algorithm to see the activity for just that algorithm or click an application or SNI to view the key exchange algorithm activity for that application or SNI.
The following example of drilling down into ACC data shows you how to examine successful TLS version activity:
  1. The
    Successful TLS Version Activity
    widget shows that seventeen sessions used TLSv1.3 and seven sessions used TLSv1.2. The SNI list shows the destination SNIs and the number of sessions per SNI.
    acc-drill-down-step-1-initial-screen.png
  2. To see which SNIs used TLSv1.2, click the green bar labeled TLS1.2.
    acc-drill-down-step-2-click-green-bar.png
  3. Now you can see the seven TLSv1.2 sessions were spread among four servers.
    acc-drill-down-step-3-tlsv12-SNIs.png
  4. Clicking
    Home
    returns to the home screen. Now, clicking the www.espn.com SNI shows us which TLS versions it used. We can see that two of the four sessions used TLSv1.3 and two used TLSv1.2.
    acc-drill-down-step-4-espn-SNI.png
For any Decryption widget, click the Jump to Logs icon to jump directly to the Decryption logs that correspond to the data in the ACC:
jump-to-logs-from-decryption-acc-widgets.png
In the preceding example, at any point in the investigation you could jump to the Decryption logs for the data to drill down more. For example, you could examine the logs for the individual sessions that used TLSv1.2 to find out why they didn’t use TLSv1.3.
Decryption ACC widgets show the name of the decrypted application based on the Palo Alto Networks App-ID. For populating the ACC, the firewall can only identify applications that have a Palo Alto Networks App-ID; the firewall cannot populate the ACC with custom applications or applications that do not have an App-ID. Content updates update App-IDs regularly. Other reasons that the application may be shown as incomplete or unknown are:
  • The firewall dropped the session before it could identify the application.
  • Decryption logs depend on Traffic logs to populate the Decryption log application field. However, if the Traffic log is not completed in 60 seconds or less, the Traffic log does not populate the application in the Decryption log and the application displays as incomplete or unknown.

Recommended For You