Palo Alto Networks Knowledgebase: How to View Decrypted Traffic

How to View Decrypted Traffic

17204
Created On 02/08/19 00:01 AM - Last Updated 02/08/19 00:01 AM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

This article will describe multiple ways to confirm whether traffic has been decrypted or not.

 

CLI

To confirm decrypt on the CLI, use the following command:

> show session all filter ssl-decrypt yes

 

Decrypted sessions will have an * (asterisk) associated with them. Viewing the session ID will mark application 'app-name (proxy)', confirming that session is decrypted.

 

WebGUI

To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic.  Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted.

 

2017-11-08_decrypted2.jpgYou will see the "Decrypted " checkbox checked when the traffic is decrypted. 

 

Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted.

2017-11-08_decrypted.jpg

2017-11-08_decrypted3.jpgTraffic logs after enabling the Decrypted column.

 

See also

SSL decryption resource list

The SSL decryption resource list has a long list of articles only dealing with SSL decryption. 

 

owner: bryan



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language