How to Determine if Session was Decrypted Based on Flags in Exported/Syslog Logs

How to Determine if Session was Decrypted Based on Flags in Exported/Syslog Logs

23826
Created On 09/26/18 13:55 PM - Last Modified 06/07/23 16:59 PM


Resolution


Overview

To determine if the session was decrypted by forward proxy, check the flags field in the export log.

Details

The flag field is a sum of multiple values describing the session in more detail. If the sum of a bitwise AND operation on the flags field and the value 0x01000000 is greater than 0 then the session was decrypted by forward proxy.


Example log entries:

Jul 27 23:20:45 10.193.20.181 1,2013/07/27 23:20:45,007200001038,TRAFFIC,end,1,2013/07/27 23:20:44,192.168.181.188,173.194.66.94,10.193.16.181,173.194.66.94,l3,,,web-browsing,vsys1,l3-trust,l3-untrust,ethernet1/4,ethernet1/3,ubuntu1,2013/07/27 23:20:45,22162,1,1690,443,26104,443,0x1400000,tcp,allow,10535,1339,9196,21,2013/07/27 23:18:43,61,search-engines,0,11498,0x0,192.168.0.0-192.168.255.255,United States,0,9,12

Jul 27 23:22:52 10.193.20.181 1,2013/07/27 23:22:52,007200001038,TRAFFIC,end,1,2013/07/27 23:22:52,192.168.181.188,23.65.181.80,10.193.16.181,23.65.181.80,l3,,,ssl,vsys1,l3-trust,l3-untrust,ethernet1/4,ethernet1/3,ubuntu1,2013/07/27 23:22:52,22221,1,1699,443,54395,443,0x400000,tcp,allow,116882,5721,111161,131,2013/07/27 23:21:14,68,content-delivery-networks,0,11523,0x0,192.168.0.0-192.168.255.255,United States,0,48,83

Jul 27 23:55:17 10.193.20.181 1,2013/07/27 23:55:17,007200001038,THREAT,virus,1,2013/07/27 23:55:11,188.40.238.252,192.168.181.188,188.40.238.252,10.193.16.181,l3,,,web-browsing,vsys1,l3-untrust,l3-trust,ethernet1/3,ethernet1/4,ubuntu1,2013/07/27 23:55:16,22631,1,443,1721,443,33657,0x81400000,tcp,deny,"eicar.com",Eicar Test File(100000),any,medium,server-to-client,1939,0x0,Germany,192.168.0.0-192.168.255.255,0,

For this example, the decryption on the Palo Alto Networks firewall is enabled for the following categories: "search engines" and "computer-and-internet-info".

First log:

Category: search engines - flag: 0x1400000

0x1400000 & 0x01000000  = 0x01000000 >0 this means session was decrypted

0x1400000 & 0x00400000  = 0x00400000 this means session was natted

Second log:

Category: content-delivery-networks - flag: 0x400000

0x400000 & 0x01000000  = 0 this means session was not decrypted

0x400000 & 0x00400000  = 0x400000 this means session was natted

Third log:

Category: computer-and-internet-info (not visible in this log) - flag: 0x81400000

0x81400000 & 0x80000000  = 0x80000000 this means there is a packet capture for the session

0x81400000 & 0x01000000  = 0x01000000 this means session was decrypted

0x81400000 & 0x00400000  = 0x00400000 this means session was natted

owner: rweglarz
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1JCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language