https://live.paloaltonetworks.com/t5/next-generation-firewall/decrypt-log-missing-in-list-of-logs/m-p/589276#M3296 <P>I spent several hours yesterday trying to get decryption working.&nbsp; Everything kept coming back to being able to view the decryption log under Monitor&gt;Logs&gt;Decryption.&nbsp; However, my Palos did not have a "Decryption" option under Logs, and I could not figure out why, and could not find any documentation to explain why I could not see that option on my firewalls.&nbsp; Was it because I didn't have the right license? Was it a configuration setting somewhere that was not enabled?&nbsp; Was it because decryption just wasn't working and so there were no log messages to display?</P> <P>&nbsp;</P> <P>I'm putting this here so that hopefully if someone else has the same problem they don't waste hours like I did trying to figure out why this thing that all the documentation says you can just find at Monitor&gt;Logs&gt;Decryption, was no where to be found. (So frustration...)&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>The problem for me came down to the fact that we use Radius for normal access to our Palos.&nbsp; If I logged in with the local admin account, I was able to see the decryption log under the list of logs.&nbsp; Now I need to find out if there is a way to have Radius authenticated Admins receive Admin level access to the Palos so admins don't have to login with the local admin account.</P> Tue, 11 Jun 2024 13:22:56 GMT dsmall-pa 2024-06-11T13:22:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/decrypt-log-missing-in-list-of-logs/m-p/589276#M3296 <P>I spent several hours yesterday trying to get decryption working.&nbsp; Everything kept coming back to being able to view the decryption log under Monitor&gt;Logs&gt;Decryption.&nbsp; However, my Palos did not have a "Decryption" option under Logs, and I could not figure out why, and could not find any documentation to explain why I could not see that option on my firewalls.&nbsp; Was it because I didn't have the right license? Was it a configuration setting somewhere that was not enabled?&nbsp; Was it because decryption just wasn't working and so there were no log messages to display?</P> <P>&nbsp;</P> <P>I'm putting this here so that hopefully if someone else has the same problem they don't waste hours like I did trying to figure out why this thing that all the documentation says you can just find at Monitor&gt;Logs&gt;Decryption, was no where to be found. (So frustration...)&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>The problem for me came down to the fact that we use Radius for normal access to our Palos.&nbsp; If I logged in with the local admin account, I was able to see the decryption log under the list of logs.&nbsp; Now I need to find out if there is a way to have Radius authenticated Admins receive Admin level access to the Palos so admins don't have to login with the local admin account.</P> Tue, 11 Jun 2024 13:22:56 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decrypt-log-missing-in-list-of-logs/m-p/589276#M3296 dsmall-pa 2024-06-11T13:22:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/decrypt-log-missing-in-list-of-logs/m-p/589333#M3297 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/287993">@dsmall-pa</a></P> <P>&nbsp;</P> <P>thanks for post.</P> <P>&nbsp;</P> <P>Based on what you described my first thought is that your RADIUS authenticated account is bound to custom role that does not have decryption logs enabled. Below is a sample:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_0-1718147557558.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60309i97737BEDF0FE44B5/image-size/medium?v=v2&amp;px=400" role="button" title="PavelK_0-1718147557558.png" alt="PavelK_0-1718147557558.png" /></span></P> <P>The decryption logs were introduced in PAN-OS 10.0 (Here is the reference: <A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/verify-decryption#id185BG0KL0W1" target="_self">Verify Decryption</A>) and it is possible that whoever created a custom role in earlier version of PAN-OS prior to 10.0 has enabled access to log options available at that time. After decryption logs were introduced this log option comes automatically as disabled therefore it is not available to your RADIUS account.</P> <P>&nbsp;</P> <P>I would recommend to review setting for custom role if this is indeed being used.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;&nbsp;</P> Tue, 11 Jun 2024 23:17:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/decrypt-log-missing-in-list-of-logs/m-p/589333#M3297 PavelK 2024-06-11T23:17:54Z