How to Determine if Session was Decrypted Based on Flags in Exported/Syslog Logs
To determine if the session was decrypted by forward proxy, check the flags field in the export log.
The flag field is a sum of multiple values describing the session in more detail. If the sum of a bitwise AND operation on the flags field and the value 0x01000000 is greater than 0 then the session was decrypted by forward proxy.
Example log entries:
Jul 27 23:20:45 10.193.20.181 1,2013/07/27 23:20:45,007200001038,TRAFFIC,end,1,2013/07/27 23:20:44,192.168.181.188,188.8.131.52,10.193.16.181,184.108.40.206,l3,,,web-browsing,vsys1,l3-trust,l3-untrust,ethernet1/4,ethernet1/3,ubuntu1,2013/07/27 23:20:45,22162,1,1690,443,26104,443,0x1400000,tcp,allow,10535,1339,9196,21,2013/07/27 23:18:43,61,search-engines,0,11498,0x0,192.168.0.0-192.168.255.255,United States,0,9,12
Jul 27 23:22:52 10.193.20.181 1,2013/07/27 23:22:52,007200001038,TRAFFIC,end,1,2013/07/27 23:22:52,192.168.181.188,220.127.116.11,10.193.16.181,18.104.22.168,l3,,,ssl,vsys1,l3-trust,l3-untrust,ethernet1/4,ethernet1/3,ubuntu1,2013/07/27 23:22:52,22221,1,1699,443,54395,443,0x400000,tcp,allow,116882,5721,111161,131,2013/07/27 23:21:14,68,content-delivery-networks,0,11523,0x0,192.168.0.0-192.168.255.255,United States,0,48,83
Jul 27 23:55:17 10.193.20.181 1,2013/07/27 23:55:17,007200001038,THREAT,virus,1,2013/07/27 23:55:11,22.214.171.124,192.168.181.188,126.96.36.199,10.193.16.181,l3,,,web-browsing,vsys1,l3-untrust,l3-trust,ethernet1/3,ethernet1/4,ubuntu1,2013/07/27 23:55:16,22631,1,443,1721,443,33657,0x81400000,tcp,deny,"eicar.com",Eicar Test File(100000),any,medium,server-to-client,1939,0x0,Germany,192.168.0.0-192.168.255.255,0,
For this example, the decryption on the Palo Alto Networks firewall is enabled for the following categories: "search engines" and "computer-and-internet-info".
Category: search engines - flag: 0x1400000
0x1400000 & 0x01000000 = 0x01000000 >0 this means session was decrypted
0x1400000 & 0x00400000 = 0x00400000 this means session was natted
Category: content-delivery-networks - flag: 0x400000
0x400000 & 0x01000000 = 0 this means session was not decrypted
0x400000 & 0x00400000 = 0x400000 this means session was natted
Category: computer-and-internet-info (not visible in this log) - flag: 0x81400000
0x81400000 & 0x80000000 = 0x80000000 this means there is a packet capture for the session
0x81400000 & 0x01000000 = 0x01000000 this means session was decrypted
0x81400000 & 0x00400000 = 0x00400000 this means session was natted