Troubleshoot and Monitor Decryption
Focus
Focus

Troubleshoot and Monitor Decryption

Table of Contents
End-of-Life (EoL)

Troubleshoot and Monitor Decryption

Troubleshoot, investigate, and resolve TLS decryption issues using visibility-enhancing diagnostic tools.
Troubleshooting tools provide enhanced visibility into TLS traffic so you can monitor your decryption deployment. The tools enable you to diagnose and resolve decryption issues quickly and easily, tighten weaknesses in your decryption deployment, and fix decryption issues to improve your security posture. For example, you can:
  • Identify traffic that causes decryption failures by Service Name Identification (SNI) and application.
  • Identify traffic that uses weak protocols and algorithms.
  • Examine successful and unsuccessful decryption activity in the network.
  • View detailed information about individual sessions.
  • Profile decryption usage and patterns.
  • Monitor detailed decryption statistics and information about adoption, failures, versions, algorithms, etc.
The following tools provide full visibility into the TLS handshake and help you troubleshoot and monitor your decryption deployment:
  • ACCSSL Activity—The five ACC widgets on this tab (introduced in PAN-OS 10.0) provide details about successful and unsuccessful decryption activity in your network, including decryption failures, TLS versions, key exchanges, and the amount and type of decrypted and undecrypted traffic.
  • MonitorLogsDecryption—The Decryption Log (introduced in PAN-OS 10.0) provides comprehensive information about individual sessions that match a Decryption policy, use a No Decryption policy for traffic you don’t decrypt, and GlobalProtect sessions when you enable Decryption logging in GlobalProtect Portal or GlobalProtect Gateways configuration. Select which columns to display to view information such as application, SNI, Decryption Policy Name, error index, TLS version, key exchange version, encryption algorithm, certificate key types, and many other characteristics. Filter the information in columns to identify traffic that uses particular TLS versions and algorithms, particular errors, or any other characteristics you want to investigate. By default, Decryption policies log only unsuccessful TLS handshakes. If you have the available log storage, configure Decryption policies to log successful TLS handshakes as well to gain visibility into those decrypted sessions.
  • Local Decryption Exclusion Cache—There are two constructs for sites that break decryption for technical reasons such as client authentication or pinned certificates and therefore need to be excluded from decryption: the SSL Decryption Exclusion List and the Local Decryption Exclusion Cache. The SSL Decryption Exclusion List contains the servers that Palo Alto Networks has identified that break decryption technically. Content updates keep the list up-to-date and you can add servers to the list manually. The Local Decryption Exclusion Cache automatically adds servers that local users encounter that break decryption for technical reasons and excludes them from decryption, providing that the Decryption profile applied to the traffic allows unsupported modes (if unsupported modes are blocked, then the traffic is blocked instead of added to the local cache).
  • Custom Report Templates for Decryption—You can create custom reports (MonitorManage Custom Reports) using four predefined templates that summarize decryption activity (introduced in PAN-OS 10.0).
The general troubleshooting methodology is to start with the ACC widgets to identify traffic that causes decryption issues. Next, use the Decryption Log and custom report templates to drill down into details and gain context about that traffic. This enables you to diagnose issues accurately and much more easily than in the past. Understanding decryption issues and their causes enables you to select the appropriate way to fix each issue, such as:
  • Modify Decryption policy rules (a policy rule defines the traffic that the rule affects, the action taken on that traffic, log settings, and the Decryption profile applied to the traffic).
  • Modify Decryption profiles (acceptable protocols and algorithms for the traffic that a Decryption policy rule controls, plus failure checks, unsupported mode checks for items such as unsupported ciphers and versions, certificate checks, etc.).
  • Add sites that break decryption for technical reasons to the SSL Decryption Exclusion List.
  • Evaluate security decisions about which sites your employees, customers, and partners really need to access and which sites you can block when sites use weak decryption protocols or algorithms.
The goals is to decrypt all the traffic you can decrypt (a decryption best practice) so that you can inspect it and to properly handle traffic that you don’t decrypt.
In PAN-OS 10.0 or later, the device takes 1% of the log space and allocates it to Decryption logs. Step 3 in Configure Decryption Logging shows you how to modify the log space allocation to provide more space for Decryption logs.
If you downgrade from PAN-OS 10.0 or later to PAN-OS 9.1 or earlier, the features introduced in PAN-OS 10.0 (Decryption Log, SSL Activity widgets in the ACC, custom report Decryption templates) are removed from the UI. References to Decryption logs are also removed from Log Forwarding profiles. In addition, the Local Decryption Exclusion Cache is only viewable using the CLI in PAN-OS 9.1 and earlier (PAN-OS 10.0 added the local cache to the UI).
If you push configurations from Panorama on PAN-OS 10.0 or later to devices that run PAN-OS 9.1 or earlier, Panorama removes the features introduced in PAN-OS 10.0.