An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?
The correct log entry to verify that sessions are being decrypted is the Decryption log. This log provides comprehensive information about the sessions that match a decryption policy, helping administrators gain context about that traffic to accurately and easily diagnose and resolve decryption issues.
PCNSE 9 is current exam content [02/2021] *** ANSWER = A *** https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC The Question is simply asking how to verify if traffic was being decrypted. There are (2) ways to see this in the traffic logs: 1. To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic. Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted. 2. Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted. This shows decrypted status in regular traffic log view.
how about PCNSE 10 is it in march of 2021 or still PCNSE 9 in march... ?
As of, August 17th 2020, the Palo Alto Networks Certified Network Security Engineer (PCNSE) and the Palo Alto Networks Certified Network Security Administrator (PCNSA) certification exams reflect changes based on PAN-OS 10.0.
Excellent answer :)
And on the Traffic logs, you can also add the "Decrypted" column, which would show Yes or No in case the connection was decrypted or not
I think its A.
By default, Decryption policies only log unsuccessful TLS handshakes.
True !
I would lean towards option A as the question asks about how one can go about verifying if sessions are being decrypted. In the details of traffic log entry, you can check if the decrypt flag is marked or not. The decrypted log file introduced in PAN OS 10 on the other hand provides comprehensive information about individual session that are decrypted, the sessions that are marked for "no decrypt" in the decryption policy or any global protect sessions when you enable decryption logging in the global protect portal or gateway configuration.
B https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption#ida09e44a8-fd80-41e8-8572-33e9b122ad22
By default decryption logs only unsuccessful events .... A is correct.
Another stupid question with 2 answers. Both A and B are correct. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/verify-decryption After you configure a best practice decryption profile and apply it to traffic, you can check both the Decryption logs (introduced in PAN-OS 10.0) and the Traffic logs to verify that the firewall is decrypting the traffic.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs#:~:text=The%20Decryption%20Log%20(MonitorLogsDecryption)%20provides%20comprehensive%20information%20about%20sessions%20that%20match%20a%20Decryption%20policy%20to%20help%20you%20gain%20context%20about%20that%20traffic%20so%20you%20can%20accurately%20and%20easily%20diagnose%20and%20resolve%20decryption%20issues
Answer:A is say clear when to find Decrypted. in traffic logs
Decryption Log
Very clear answer on PA website After you configure a best practice decryption profile and apply it to traffic, you can check both the Decryption logs https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/verify-decryption
The question t's about log ENTRY and not log TYPE.
Decryption log is where you see what its being decrypted, the system log is to see if there is any issues with the decryption policy
as per bmarks and links shared. Agree
Again, best answer. As Pochex pointed out Decryption logs don't show all traffic, so using traffic logs and looking at the decryption field is your best option to 'verify' decryption is occuring or not.
The answer is a. In traffic details you will see proxy/decryption checkbox
Its A, just tested in my lab