We have configured the SSL inbound decryption.
When we do the PCAPS on the PA we do not see POST message on the re and tx pcaps.
Need to know is this default behaviour?
On traffic logs we see decryption flag as checked.
Also from CLI i verify that PA is decrypting the traffic.
This is expected. If you want the post message you would need to enable the decryption port mirror license and verify that you can legally enable that feature in your location and your industry.
From a CLI perspective the command show session all filter ssl-decrypt yes will display all the decrypted sessions across the firewall. You can filter this more to ensure that traffic is being actively decrypted where you expect it to be.
The issue is that we have cert with name like *.city.ca
and it has multiple sub domains like
All the urls with domain *.city.ca point to single IP address.
When i do the pcaps for the city.ca i see the post and get message on the fw pcaps.
When domain is maps.city.ca then i do not see the get and post info in pcaps of the fw.
I also tested with creating custom url for maps.city.ca and then adding that to decryption rule same thing.
We open the TAC case as we were able to exploit the vulnerabiity even though PA ssl decrypt is enabled.
Yes you were spot on you can not see the get/post messages on the PCAP on firewall or debug ssl proxy.
But PA should able to see the threat signature and block it when ssl decryption is enabled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!