Palo Alto Networks Knowledgebase: How to View SSL Decryption Information from the CLI

How to View SSL Decryption Information from the CLI

4056
Created On 09/25/18 17:19 PM - Last Updated 09/25/18 23:10 PM
Content Release Deployment
Resolution

Overview

This document describes how to view SSL Decryption Information from the CLI.

 

Details

The following show system setting ssl-decrypt commands provide information about the SSL-decryption on the Palo Alto Networks device:

  • Show the list of ssl-decrypt certificates loaded on the dataplane
    > show system setting ssl-decrypt certificate
  • Show the list of cached certificates loaded on the dataplane
    > show system setting ssl-decrypt certificate-cache
  • Show the list of cached DNS entries
    > show system setting ssl-decrypt dns-cache
  • Show the list of cached servers excluded from decryption
    > show system setting ssl-decrypt exclude-cache
  • Show the list of Global Protect cookies
    > show system setting ssl-decrypt gp-cookie-cache
  • Show the list of HSM requests
    > show system setting ssl-decrypt hsm-request
  • Show the SSL decryption memory usage
    > show system setting ssl-decrypt memory
  • Show the list of users who's notify option (whether to notify them of SSL decryption or not) has been cached. If the cache is on, the user will not be notified everytime they browse to an encrypted site.
    > show system setting ssl-decrypt notify-cache
  • Show URL rewrite statistics
    > show system setting ssl-decrypt rewrite-stats
  • Show the list of cached sessions
    > show system setting ssl-decrypt session-cache
  • Show ssl-decryption settings
    > show system setting ssl-decrypt setting

 

To display the count of decrypted sessions

> show session all filter ssl-decrypt yes count yes

Number of sessions that match filter: 2758

 

To view the decrypted sessions

> show session all filter ssl-decrypt yes

 

To clear the decrypted sessions

> clear session all filter ssl-decrypt yes

 

To reset the ssl-decrypt cache

> debug dataplane reset ssl-decrypt <option>

    • certificate-cache       Clear all ssl-decrypt certificate cache in dataplane
    • certificate-status      Clear all ssl-decrypt certificate CRL status cached in dataplane
    • dns-cache                           Clear ssl-decrypt DNS cache
    • exclude-cache                  Clear all exclude cache in dataplane
    • hsm-cache                           Clear all ssl-decrypt HSM request in dataplane
    • notify-cache                    Clear all ssl-decrypt notify-user cache in dataplane
    • rewrite-stats                  Clear URL rewrite cache
    • session-cache             Clear all ssl-decrypt session cache in dataplane

 

The following command checks for any SSL decryption related failures

 

>show counter global | match proxy
proxy_process 1205 0 info proxy pktproc Number of flows go through proxy
proxy_no_process 453 0 info proxy pktproc Number of flows donot go through proxy
proxy_wqe_held 253 0 info proxy resource Number of wqe held by proxy for notify answer
proxy_excluded 78 0 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion
proxy_client_hello_failed 4 0 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed
proxy_url_request_pkt_drop 24 0 info proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy
proxy_url_category_unknown 435 0 info proxy pktproc Number of sessions checked by proxy with unknown url category
url_session_not_in_ssl_wait 4 0 error url system The session is not waiting for url in ssl proxyproxy_url_request_pkt_drop               266        0 drop      proxy     pktproc   The number of packets get dropped because of waiting for url category request in ssl proxy
proxy_timer_del_session_added     4 0 info   proxy pktproc   Number of timers added for deleting proxy host connection
proxy_timer_del_sessions         4 0 info   proxy pktproc   Number of proxy host connections deleted due to timer
proxy_proxy_host_not_connected   15 0 warn   proxy pktproc   Number of packets proxy_host tried to receive or transmit when not connected
url_session_not_in_ssl_wait     40 0 error  url   system    The session is not waiting for url in ssl proxy

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language