How Do I Know if Traffic Is Hitting a Decryption Policy?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

This article is based on a discussion, how can I know that traffic is hitting a configured decryption policy ?, posted by @AKamal and answered by @OtakarKlier, @Panos, @VinceM@Sraghunandan and @Adrian_Jensen. Read on to see the discussion and solution!

 

SSL decryption Policy question: How can I know that traffic is hitting a configured decryption policy ?

There's nothing in the Monitor Tab for decryption policies, nor can I get anything out of the CLI command "show log traffic rule equal DECRYPTION-RULE-NAME"

Any ideas ?

  • If traffic hits a rule and is decrypted you can see it from monitor/traffic log inside the Log Details

    kiwi_0-1662557896552.jpeg

     

  • The following CLI commands are useful too

    > show session all 
    or
    > show session all filter ssl-decrypt yes​

    If you see an asterisk under the 'Flag' column that means the session is getting decrypted.

  • There are a lot of hidden Columns in the logs. To add them into the view, click one of the column headers and then hover your mouse over the Columns chevron and the display options appear.
    OtakarKlier_0-1662490849280.png

    The ones you will want to have checked are the following:
    OtakarKlier_1-1662490919616.png
 
NOTE: "Decryption Rule" must be a PAN-OS 10.x specific column as it does not show up in PAN-OS 9.x. However, you can test which decryption rule would apply to a given source/destination by using the 'Test Policy Match" tool at the bottom of the Decryption Policy page.

 

 
Rate this article:
  • 2317 Views
  • 0 comments
  • 0 Likes
  • 270 Subscriptions
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎09-07-2022 01:01 PM
Updated by: