How to check which decrypted sessions are being ported mirrored
14209
Created On 09/26/18 13:49 PM - Last Modified 06/15/23 21:47 PM
Environment
- Palo Alto Firewall
- Supported PAN-OS
- Decryption Port mirror
Resolution
- When a session is marked for mirroring, the firewall adds the mirror flag to it, so all the data that follows needs to be sent to the dedicated interface.
- Because the flag is added to the session it is very easy to search for the sessions that are subjected to forwarding both in the session table and in the logs.
- Refer documentation Decryption Port mirror,
- To check which active sessions are subjected to forwarding to the mirror port, use this cli command:
admin@PA-5050-HA-Primary> show session all filter decrypt-mirror yes
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
33557825 web-browsing ACTIVE FLOW *NS 10.193.91.111[55572]/Untrust/6 (10.193.88.91[47276])
vsys1 74.125.71.139[443]/Untrust (74.125.71.139[443])
33557818 web-browsing ACTIVE FLOW *NS 10.193.91.111[55564]/Untrust/6 (10.193.88.91[2860])
vsys1 216.58.209.230[443]/Untrust (216.58.209.230[443])
33557822 web-browsing ACTIVE FLOW *NS 10.193.91.111[55567]/Untrust/6 (10.193.88.91[7089])
vsys1 173.194.78.100[443]/Untrust (173.194.78.100[443])
33557829 youtube-base ACTIVE FLOW *NS 10.193.91.111[55576]/Untrust/6 (10.193.88.91[31508])
vsys1 74.125.105.16[443]/Untrust (74.125.105.16[443])
33557814 youtube-base ACTIVE FLOW *NS 10.193.91.111[55560]/Untrust/6 (10.193.88.91[14969])
vsys1 216.58.209.238[443]/Untrust (216.58.209.238[443])
.....
- On GUI the same effect can be achieved if the session table is listed via the session browser by setting filter
- GUI: Monitor > Session Browser.
- Click + on the filter to open the filter setting
- In the filter setting set the value of "yes" for "Decrypt Mirror".
- When the sessions are closed, in case the session at the log end is enabled, the session will create a log in the traffic logs. Using the "flags has decrypt-mirror" filter all the sessions that had the flag "decrypt-mirror" will be shown in the logs.
If the session is opened, one can also see the flag "Mirrored"
Additional Information
Custom reports
In many occasions there is a need to report on which traffic has been decrypted because of regulations, so this information also can be used to create a custom reports for the decrypted traffic. This can be done under Monitor > PDF Reports > Manage Custom Reports.
- Create a new report using the Detailed Traffic Log Database.
- Select the time frame needed and chose the needed columns, where recommended is to have at least the Application, the App Category, -the source IP, Source User (if User ID is used) destination IP and the amount of data transferred (Bytes).
- Create a query that will include the Flag decrypt-mirror.
- Test the report with the run now option and confirm that data is shown.
After that the report can be scheduled to run on an interval. There is also an option to send by email.