Overview
This document describes how to view SSL Decryption Information from the CLI.
Details
The following show system setting ssl-decrypt commands provide information about the SSL-decryption on the Palo Alto Networks device:
- Show the list of ssl-decrypt certificates loaded on the dataplane
> show system setting ssl-decrypt certificate - Show the list of cached certificates loaded on the dataplane
> show system setting ssl-decrypt certificate-cache - Show the list of cached DNS entries
> show system setting ssl-decrypt dns-cache - Show the list of cached servers excluded from decryption
> show system setting ssl-decrypt exclude-cache - Show the list of Global Protect cookies
> show system setting ssl-decrypt gp-cookie-cache - Show the list of HSM requests
> show system setting ssl-decrypt hsm-request - Show the SSL decryption memory usage
> show system setting ssl-decrypt memory - Show the list of users who's notify option (whether to notify them of SSL decryption or not) has been cached. If the cache is on, the user will not be notified everytime they browse to an encrypted site.
> show system setting ssl-decrypt notify-cache - Show URL rewrite statistics
> show system setting ssl-decrypt rewrite-stats - Show the list of cached sessions
> show system setting ssl-decrypt session-cache - Show ssl-decryption settings
> show system setting ssl-decrypt setting
To display the count of decrypted sessions
> show session all filter ssl-decrypt yes count yes
Number of sessions that match filter: 2758
To view the decrypted sessions
> show session all filter ssl-decrypt yes
To clear the decrypted sessions
> clear session all filter ssl-decrypt yes
To reset the ssl-decrypt cache
> debug dataplane reset ssl-decrypt <option>
- certificate-cache Clear all ssl-decrypt certificate cache in dataplane
- certificate-status Clear all ssl-decrypt certificate CRL status cached in dataplane
- dns-cache Clear ssl-decrypt DNS cache
- exclude-cache Clear all exclude cache in dataplane
- hsm-cache Clear all ssl-decrypt HSM request in dataplane
- notify-cache Clear all ssl-decrypt notify-user cache in dataplane
- rewrite-stats Clear URL rewrite cache
- session-cache Clear all ssl-decrypt session cache in dataplane
The following command checks for any SSL decryption related failures
>show counter global | match proxy
proxy_process 1205 0 info proxy pktproc Number of flows go through proxy
proxy_no_process 453 0 info proxy pktproc Number of flows donot go through proxy
proxy_wqe_held 253 0 info proxy resource Number of wqe held by proxy for notify answer
proxy_excluded 78 0 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion
proxy_client_hello_failed 4 0 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed
proxy_url_request_pkt_drop 24 0 info proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy
proxy_url_category_unknown 435 0 info proxy pktproc Number of sessions checked by proxy with unknown url category
url_session_not_in_ssl_wait 4 0 error url system The session is not waiting for url in ssl proxyproxy_url_request_pkt_drop 266 0 drop proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy
proxy_timer_del_session_added 4 0 info proxy pktproc Number of timers added for deleting proxy host connection
proxy_timer_del_sessions 4 0 info proxy pktproc Number of proxy host connections deleted due to timer
proxy_proxy_host_not_connected 15 0 warn proxy pktproc Number of packets proxy_host tried to receive or transmit when not connected
url_session_not_in_ssl_wait 40 0 error url system The session is not waiting for url in ssl proxy