The Decryption Log (MonitorLogsDecryption)
provides comprehensive information about sessions that match a Decryption
policy to help you gain context about that traffic so you can accurately
and easily diagnose and resolve decryption issues. The firewall
does not log traffic if the traffic does not match a Decryption
policy. If you want to log traffic that you don’t decrypt, create
a policy-based decryption exclusion and
for policies that govern TLSv1.2 and earlier traffic, apply a No Decryption profile to
the traffic.
PAN-OS supports Decryption logs for the following types of traffic:
Forward Proxy—Several fields only display information
for Forward Proxy traffic, including Root CA (for trusted certificates only)
and Server Name Identification (SNI).
Inbound Inspection.
No Decrypt (traffic excluded from decryption by Decryption
policy).
Because the session remains encrypted, the
firewall displays less information. For undecrypted TLSv1.3 traffic,
there is no certificate information because TLSv1.3 encrypts certificate
information.
The data for Forward Proxy traffic is based on whether the TLS
handshake is successful or unsuccessful. For unsuccessful TLS handshakes, the
firewall sends error data for the leg of the transaction that caused
the error, either client-to-firewall or firewall-to-server. For
successful TLS handshakes, the data is from the leg that successfully
completes first, which is usually client-to-firewall.
The firewall does not generate Decryption log entries for
web traffic blocked during SSL/TLS handshake inspection.
These sessions do not appear in Decryption logs because the firewall
prevents decryption when it resets the SSL/TLS connection, ending
the handshake. You can view details of the blocked sessions in the
URL Filtering logs.
Decryption logs are not supported for
SSH Proxy traffic. In addition, certificate information is not available
for session resumption logs.
By default, the firewall logs all unsuccessful
TLS handshake traffic. You can also log successful TLS handshake
traffic if you choose to do so. You can view up to 62 columns of
log information such as application, SNI, Decryption Policy Name,
error index, TLS version, key exchange version, encryption algorithm,
certificate key types, and many other characteristics:
Click the magnifying glass icon (
) to see the Detailed
Log View of a session.
The Decryption log learns each session’s App-ID from the
Traffic log, so Traffic logs must be enabled to see the App-ID in
the Decryption log. If Traffic logs are disabled, the App-ID shows
as incomplete. For example, a lot of GlobalProtect
traffic is intrazone traffic (Untrust zone to Untrust zone), but
the default intra-zone policy does not enable Traffic logs. To see
the App-ID for GlobalProtect intrazone traffic, you need to enable
the Traffic log for intrazone traffic.
Another reason that
the App-ID may display as incomplete is that
for long sessions, the firewall may generate the Decryption log
before the Traffic log is complete (the Traffic log is usually generated
at session end). In those cases, the App-ID is not available for
the Decryption log. In addition, when the TLS handshake fails and
generates an error log, the App-ID is not available because the
failure terminates the session before the firewall can determine
the App-ID. In these cases, the application may display as ssl or as incomplete.
When you forward Decryption logs for storage, ensure that you
properly secure log transport and storage because Decryption logs
contain sensitive information.
When the Decryption logs are enabled, the firewall sends
HTTP/2 logs as Tunnel Inspection logs (when Decryption logs are disabled,
HTTP/2 logs are sent as Traffic logs), so you need to check the
Tunnel Inspection logs instead of the Traffic logs for HTTP/2 events.
In addition, you must enable Tunnel Content Inspection to
obtain the App-ID for HTTP/2 traffic.