Unsupported Parameters by Proxy Type and TLS Version

Decryption sessions are based on various parameters; the firewall does not support all parameters for all proxy types.
Decryption Log fields display decryption session parameters for each decryption proxy type. However, for reasons such as version support, encrypted portions of TLS handshakes, information availability, etc., some parameters are not available for every proxy type or TLS version. The following table shows unsupported Decryption log parameters by proxy type and TLS version.
Proxy Type
Unsupported Parameter
TLS Version
Forward Proxy
Negotiated EC Curve
TLSv1.3
Inbound Inspection
Server Name Identification
Root Common Name
All
Negotiated EC Curve
TLSv1.3
No Decrypt (
No Decrypt
action in the Decryption policy rule)
Negotiated EC Curve
Server Name Identification
TLSv1.2
Negotiated EC Curve
Server Name Identification
Certificate Information (all certificate information fields, for example, Certificate Start Date, Certificate End Date, Certificate Key Type, etc.)
TLSv1.3
Decryption Broker
Negotiated EC Curve
TLSv1.3
GlobalProtect Portal
Server Name Identification
Root Common Name
Decryption policy name
App-ID
All
GlobalProtect Gateway
Server Name Identification
Decryption policy name
App-ID
All
Clientless SSLVPN
Server Name Identification
All
SSH
Decryption Log Not Supported
Cleartext
Decryption Log Not Supported

Recommended For You