https://live.paloaltonetworks.com/t5/general-topics/decrypted-flag-under-monitor-logs/m-p/458204#M101884 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27715">@inderjit21</a> ,</P> <P>In addition to what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; mentioned,&nbsp; if you have any URL category with action "Continue" and "Override", basically URL that firewall will send response page. Check this link - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0" target="_self">How to Serve a URL Response Page Over an HTTPS Session Without SSL Decryption</A>&nbsp;</P> <P>But in those cases I think firewall will only decrypt initial request, just to be able to inject the HTTP Redirect, after that I assume nothing is actually decrypted.</P> Wed, 12 Jan 2022 08:13:35 GMT aleksandar.astardzhiev 2022-01-12T08:13:35Z https://live.paloaltonetworks.com/t5/general-topics/decrypted-flag-under-monitor-logs/m-p/458095#M101880 <P>Is it normal to see Decrypted flag as yes even when there is no decryption policy configured.</P><P>So what traffic will PA decrypt even when there is no decrypt policy?</P> Tue, 11 Jan 2022 22:55:04 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypted-flag-under-monitor-logs/m-p/458095#M101880 inderjit21 2022-01-11T22:55:04Z https://live.paloaltonetworks.com/t5/general-topics/decrypted-flag-under-monitor-logs/m-p/458154#M101881 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27715">@inderjit21</a>,</P> <P>GlobalProtect traffic will show decrypted regardless of whether or not you have a decryption policy setup for it. Other than that I can't think of anything off hand that should have that flag without a decryption entry.&nbsp;</P> Wed, 12 Jan 2022 03:16:55 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypted-flag-under-monitor-logs/m-p/458154#M101881 BPry 2022-01-12T03:16:55Z https://live.paloaltonetworks.com/t5/general-topics/decrypted-flag-under-monitor-logs/m-p/458204#M101884 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27715">@inderjit21</a> ,</P> <P>In addition to what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; mentioned,&nbsp; if you have any URL category with action "Continue" and "Override", basically URL that firewall will send response page. Check this link - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0" target="_self">How to Serve a URL Response Page Over an HTTPS Session Without SSL Decryption</A>&nbsp;</P> <P>But in those cases I think firewall will only decrypt initial request, just to be able to inject the HTTP Redirect, after that I assume nothing is actually decrypted.</P> Wed, 12 Jan 2022 08:13:35 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypted-flag-under-monitor-logs/m-p/458204#M101884 aleksandar.astardzhiev 2022-01-12T08:13:35Z