Log successful and unsuccessful TLS handshakes and forward
logs to appropriate storage and administrators for analysis.
The firewall generates Decryption logs for
sessions governed by a Decryption policy,
including sessions with a No Decrypt policy. Configure Decryption
logging in the Decryption policy that controls the traffic that
you want to log.
Configure the Decryption traffic you want to log
in Decryption policy (
By default, the firewall logs only unsuccessful TLS handshakes:
Log successful handshakes as well as unsuccessful handshakes
to gain visibility into as much decrypted traffic as your device’s available resources permit (don’t
decrypt private or sensitive traffic; follow decryption best practices and
decrypt as much traffic as you can).
Create a Log Forwarding profle to
forward Decryption logs to Log Collectors, other storage devices,
or specific administrators and then specify the profile in the
field of the Decryption policy
To forward Decryption logs, you must configure a Log Forwarding
forward Decryption logs, be sure that the logs are stored securely
because they contain sensitive information.
If you log successful TLS handshakes in addition to unsuccessful TLS
handshakes, configure a larger log storage space quota (
Logging and Reporting Settings
for Decryption logs on the firewall.
The default quota (allocation) is one percent of the device’s
log storage capacity for Decryption logs and one percent for the
general decryption summary. There is no default allocation for hourly,
daily, or weekly decryption summaries.
determine the amount of storage you may need for Decryption logs and
they depend on your deployment. For example, take these factors
The amount of TLS traffic that passes
through the firewall.
The amount of TLS traffic that you decrypt.
Your usage of other logs (evaluate from which logs you should
take capacity to allocate to Decryption logs).
If you log both successful and unsuccessful TLS handshakes,
you probably need significantly more capacity than you need if you
only log unsuccessful TLS handshakes. Depending on the amount of
traffic you decrypt, Decryption logs could consume as much capacity
as Traffic logs or Threat logs and may require a tradeoff among
them if the device’s capacity is already fully subscribed.
total combined allocation of log quotas cannot exceed 100% of the
available firewall log resources.
You may need to experiment
to find the right quota for each log category in your particular
deployment. If you only log unsuccessful handshakes, you could start
with the default or increase the allocation to two or three percent.
If you log both successful and unsuccessful handshakes, you could
start by allocating about half of the space to Decryption logs that
you allocate to Traffic logs. The logs from which you take the space to
allocate to Decryption logs depends on your traffic, your business,
and your monitoring requirements.