Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Determine if Session was Decrypted Based on Flags in Exp... - Knowledge Base - Palo Alto Networks

How to Determine if Session was Decrypted Based on Flags in Exported/Syslog Logs

29404
Created On 09/26/18 13:55 PM - Last Modified 08/22/24 09:20 AM


Resolution


Overview

To determine if the session was decrypted by forward proxy, check the 'Flags' field in the exported/forwarded traffic/threat logs.

 

Details

The 'Flags' field is a sum of multiple values describing the session in more detail. If the sum of a bitwise AND operation on the 'Flags' field and the value 0x01000000 is greater than 0 then the session was decrypted by forward proxy.

 

Example log entries:

Jul 27 23:20:45 10.193.20.181 1,2013/07/27 23:20:45,007200001038,TRAFFIC,end,1,2013/07/27 23:20:44,192.168.181.188,173.194.66.94,10.193.16.181,173.194.66.94,l3,,,web-browsing,vsys1,l3-trust,l3-untrust,ethernet1/4,ethernet1/3,ubuntu1,2013/07/27 23:20:45,22162,1,1690,443,26104,443,0x1400000,tcp,allow,10535,1339,9196,21,2013/07/27 23:18:43,61,search-engines,0,11498,0x0,192.168.0.0-192.168.255.255,United States,0,9,12

 

Jul 27 23:22:52 10.193.20.181 1,2013/07/27 23:22:52,007200001038,TRAFFIC,end,1,2013/07/27 23:22:52,192.168.181.188,23.65.181.80,10.193.16.181,23.65.181.80,l3,,,ssl,vsys1,l3-trust,l3-untrust,ethernet1/4,ethernet1/3,ubuntu1,2013/07/27 23:22:52,22221,1,1699,443,54395,443,0x400000,tcp,allow,116882,5721,111161,131,2013/07/27 23:21:14,68,content-delivery-networks,0,11523,0x0,192.168.0.0-192.168.255.255,United States,0,48,83

 

Jul 27 23:55:17 10.193.20.181 1,2013/07/27 23:55:17,007200001038,THREAT,virus,1,2013/07/27 23:55:11,188.40.238.252,192.168.181.188,188.40.238.252,10.193.16.181,l3,,,web-browsing,vsys1,l3-untrust,l3-trust,ethernet1/3,ethernet1/4,ubuntu1,2013/07/27 23:55:16,22631,1,443,1721,443,33657,0x81400000,tcp,deny,"eicar.com",Eicar Test File(100000),any,medium,server-to-client,1939,0x0,Germany,192.168.0.0-192.168.255.255,0,

 


In this example, the decryption on the Palo Alto Networks firewall is enabled for the following categories: "search-engines" and "computer-and-internet-info".


First log:

Category: "search-engines" (e.g., decryption is enabled)
Flags: 0x1400000

0x1400000 & 0x01000000  = 0x01000000 >0 this means session was decrypted

0x1400000 & 0x00400000  = 0x00400000 this means session was natted

 

Second log:

Category: "content-delivery-networks" (e.g., decryption is not enabled)
Flags: 0x400000

0x400000 & 0x01000000  = 0 this means session was not decrypted

0x400000 & 0x00400000  = 0x400000 this means session was natted

 

Third log:

Category: "computer-and-internet-info" (e.g., decryption is enabled. Category is not visible in Threat log)
Flags: 0x81400000

0x81400000 & 0x80000000  = 0x80000000 this means there is a packet capture for the session

0x81400000 & 0x01000000  = 0x01000000 >0 this means session was decrypted

0x81400000 & 0x00400000  = 0x00400000 this means session was natted

 

See also:

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 238,864
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1JCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language