article How Do I Know if Traffic Is Hitting a Decryption Policy? in General Articles

article How Do I Know if Traffic Is Hitting a Decryption Policy? in General Articles https://live.paloaltonetworks.com/t5/general-articles/how-do-i-know-if-traffic-is-hitting-a-decryption-policy/ta-p/514149 <P><STRONG><EM><I data-stringify-type="italic">This article is based on a discussion,<SPAN><A title=" how can I know that traffic is hitting a configured decryption policy ?" href="https://live.paloaltonetworks.com/t5/general-topics/how-can-i-know-that-traffic-is-hitting-a-configured-decryption/td-p/27841#M106732" target="_blank" rel="noopener"> how can I know that traffic is hitting a configured decryption policy ?</A>,</SPAN></I><I data-stringify-type="italic"> posted by <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/20013" target="_blank" rel="noopener">@AKamal</A> </I><I data-stringify-type="italic">and answered by <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580" target="_blank" rel="noopener">@OtakarKlier</A>, <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/28393" target="_blank" rel="noopener">@Panos</A>, <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5976" target="_blank" rel="noopener">@VinceM</A>, <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/20889" target="_blank" rel="noopener">@Sraghunandan</A> and <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/184804" target="_blank" rel="noopener">@Adrian_Jensen</A>.</I><I data-stringify-type="italic"> Read on to see the discussion and solution!</I></EM></STRONG></P> <P> </P> <DIV class="lia-message-template-content-zone"> <BLOCKQUOTE> <P>SSL decryption Policy question: How can I know that traffic is hitting a configured decryption policy ?</P> <P>There's nothing in the Monitor Tab for decryption policies, nor can I get anything out of the CLI command "show log traffic rule equal DECRYPTION-RULE-NAME"</P> <P>Any ideas ?</P> </BLOCKQUOTE> <UL> <LI>If traffic hits a rule and is decrypted you can see it from monitor/traffic log inside the Log Details<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiwi_0-1662557896552.jpeg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43708i9D858B285091371F/image-size/medium?v=v2&px=400" role="button" title="kiwi_0-1662557896552.jpeg" alt="kiwi_0-1662557896552.jpeg" /></span> <P> </P> </LI> <LI>The following CLI commands are useful too<BR /><BR /><LI-CODE lang="markup">> show session all or > show session all filter ssl-decrypt yes</LI-CODE> <P>If you see an asterisk under the 'Flag' column that means the session is getting decrypted.<BR /><BR /></P> </LI> <LI>There are a lot of hidden Columns in the logs. To add them into the view, click one of the column headers and then hover your mouse over the Columns chevron and the display options appear.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1662490849280.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43697i9F9585CFEC5A4991/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="OtakarKlier_0-1662490849280.png" alt="OtakarKlier_0-1662490849280.png" /></span><BR /><BR />The ones you will want to have checked are the following:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_1-1662490919616.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43698i163120EA0A6088D4/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="OtakarKlier_1-1662490919616.png" alt="OtakarKlier_1-1662490919616.png" /></span></LI> </UL> </DIV> <DIV class="lia-message-template-content-zone"> </DIV> <DIV class="lia-message-template-content-zone"><MARK>NOTE: "Decryption Rule" must be a PAN-OS 10.x specific column as it does not show up in PAN-OS 9.x. However, you can test which decryption rule would apply to a given source/destination by using the 'Test Policy Match" tool at the bottom of the Decryption Policy page.</MARK> <P> </P> </DIV> <DIV data-extension-version="1.0.4"><STRONG>Additional information:</STRONG><BR /> <P><STRONG><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption" target="_blank" rel="noopener">TechDocs: Troubleshoot and Monitor Decryption</A></STRONG></P> </DIV> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4"> </DIV> Wed, 07 Sep 2022 20:01:54 GMT kiwi 2022-09-07T20:01:54Z How Do I Know if Traffic Is Hitting a Decryption Policy? https://live.paloaltonetworks.com/t5/general-articles/how-do-i-know-if-traffic-is-hitting-a-decryption-policy/ta-p/514149 <P> </P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4"> </DIV> Wed, 07 Sep 2022 20:01:54 GMT https://live.paloaltonetworks.com/t5/general-articles/how-do-i-know-if-traffic-is-hitting-a-decryption-policy/ta-p/514149 kiwi 2022-09-07T20:01:54Z