topic Re: Decryption Log Forwarding in General Topics

Decryption Log Forwarding

fhewiufhwefhwe — Tue, 03 Aug 2021 22:50:22 GMT

I upgraded to PanOS 10.0.6, and am trying to forward decryption logs via email. If I go to monitor -> decryption, then I see a bunch of rows where zone.src eq untrust and zone.dst eq untrust and ( proxy_type eq GlobalProtect ), application is incomplete, and Policy Name is blank. This is exclusively or almost exclusively from bot or malicious traffic. I have log forwarding via email enabled for decryption logs, but am not receiving the logs. Any idea what the issue could be? Are other people forwarding these logs via email?

I know that I can also forward traffic logs with decryption errors, but would prefer to forward decryption logs for decryption errors. I also would like to forward alarm logs because the traffic logs fill up every couple of days since I upgraded to 10.0.x PanOS on PA-220.

Re: Decryption Log Forwarding

BPry — Wed, 04 Aug 2021 18:23:43 GMT

@fhewiufhwefhwe,

I've never actually tried to email decryption logs previously, but I did just verify that this issue is present across two of my lab systems running 10.0.6 so it's not just a you issue.

Re: Decryption Log Forwarding

fhewiufhwefhwe — Wed, 04 Aug 2021 18:30:14 GMT

Thanks BPry for confirming that. I keep notices *.stretchoid.com traffic probing my VPN. Forwarding the decrypt errors are one way to review that to potentially add their ipaddresses to a blocklist. I also have had an issue twice where the firewall rejected valid certificates until a reboot. I want to be alerted about that as well particularly if the upgrade to 10.0.6 did not solve that issue. It's too early for me to definitively tell because I had that issue every couple of months, and recently upgraded.