Verify that your decryption configuration decrypts the traffic you want to decrypt and doesn’t decrypt the sensitive traffic that you don’t want to decrypt.
After you configure a best practice decryption profile and apply it to traffic, check the log files to verify that the firewall is decrypting the traffic that you intend to decrypt and that the firewall is not decrypting the traffic that you don’t want to decrypt. In addition, follow post-deployment decryption best practices to maintain the deployment.
- View Decrypted Traffic Sessions—Filter
the Traffic Logs (MonitorLogsTraffic)
using the filter ( flags has proxy ).This filter displays only logs in which the SSL proxy flag is on, meaning only decrypted traffic—every log entry has the value yes in the Decrypted column.You can filter the traffic in a more granular fashion by adding more terms to the filter. For example, you can filter for decrypted traffic going only to the destination IP address 188.8.131.52 by adding the filter ( addr.dst in 184.108.40.206 ):
- View SSL Traffic Sessions That Are Not Decrypted—Filter
the Traffic Logs (MonitorLogsTraffic)
using the filter ( not flags has proxy ) and ( app eqssl ).This filter displays only logs in which the SSL proxy flag is off (meaning only encrypted traffic) and the traffic is SSL traffic; every log entry has the value no in the Decrypted column and the value ssl in the Application column.Similar to the example for viewing decrypted traffic logs, you can add terms to filter the traffic that you don’t decrypt in a more granular fashion.
- View The Log for a Particular Session—To view
the decryption log for a particular session, filter on the Session
ID.For example, to see the log for a session with the ID 362370, filter using the term ( sessionid eq 362370 ). You can find the ID number in the Session ID column in the log output, as shown in the previous screens. If the Session ID column isn’t displayed, add the column to the output.
- Drill Down Into the Details—To view more information
about a particular log entry, click the magnifying glass to see
a detailed log view. For example, for Session ID 362370 (shown in the
previous bullet), the detailed log looks like this:The box for the Decrypted flag provides a second way to verify if traffic was decrypted.You can also take upstream and downstream packet captures of decrypted traffic to view how the firewall processes SSL traffic and takes actions on packets, or perform deep packet inspection.
You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
Learn about outbound and inbound SSL decryption, SSH Proxy decryption, Decryption Mirroring, and the keys and certificates that make decryption possible. ...
Deploy SSL Decryption Using Best Practices
Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...
How to Decrypt Data Center Traffic
Use SSL Decryption to inspect all encrypted network traffic and make hidden threats visible. ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...
Create User-to-Data-Center Decryption Policy Rules
Create rules that decrypt user traffic flowing to the data center so you can inspect the traffic and protect your most valuable assets against malware ...
Configure Decryption Broker with a Single Transparent Bridg...
Configure Decryption Broker with a Single Transparent Bridge Security Chain Perform the following steps to enable the firewall to act as a decryption broker that ...
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...