Configure Decryption Logging
Log successful and unsuccessful TLS handshakes and forward logs to appropriate storage and administrators for analysis.
The firewall generates Decryption logs for sessions governed by a Decryption policy, including sessions with a No Decrypt policy. Configure Decryption logging in the Decryption policy that controls the traffic that you want to log.
- Configure the Decryption traffic you want to log in Decryption policy ().PoliciesDecryptionBy default, the firewall logs only unsuccessful TLS handshakes:
- Create a Log Forwarding profle to forward Decryption logs to Log Collectors, other storage devices, or specific administrators and then specify the profile in theLog Forwardingfield of the Decryption policyOptionstab.To forward Decryption logs, you must configure a Log Forwarding profile () to specify the DecryptionObjectsLog ForwardingLog Typeand the method of forwarding the logs.If you forward Decryption logs, be sure that the logs are stored securely because they contain sensitive information.
- If you log successful TLS handshakes in addition to unsuccessful TLS handshakes, configure a larger log storage space quota () for Decryption logs on the firewall.DeviceSetupManagementLogging and Reporting SettingsLog StorageThe default quota (allocation) is one percent of the device’s log storage capacity for Decryption logs and one percent for the general decryption summary. There is no default allocation for hourly, daily, or weekly decryption summaries.Many factors determine the amount of storage you may need for Decryption logs and they depend on your deployment. For example, take these factors into account:
The total combined allocation of log quotas cannot exceed 100% of the available firewall log resources.You may need to experiment to find the right quota for each log category in your particular deployment. If you only log unsuccessful handshakes, you could start with the default or increase the allocation to two or three percent. If you log both successful and unsuccessful handshakes, you could start by allocating about half of the space to Decryption logs that you allocate to Traffic logs. The logs from which you take the space to allocate to Decryption logs depends on your traffic, your business, and your monitoring requirements.
- The amount of TLS traffic that passes through the firewall.
- The amount of TLS traffic that you decrypt.
- Your usage of other logs (evaluate from which logs you should take capacity to allocate to Decryption logs).
- If you log both successful and unsuccessful TLS handshakes, you probably need significantly more capacity than you need if you only log unsuccessful TLS handshakes. Depending on the amount of traffic you decrypt, Decryption logs could consume as much capacity as Traffic logs or Threat logs and may require a tradeoff among them if the device’s capacity is already fully subscribed.
Recommended For You
Recommended videos not found.