Which log file can be used to identify SSL decryption failures?
Which log file can be used to identify SSL decryption failures?
The Traffic log file is the correct log file to identify SSL decryption failures. This is because the Traffic log includes details about the decrypted sessions, including any decryption errors. Checking the session end reasons in the Traffic log, such as 'decrypt-error' or 'decrypt-cert-validation', will help to identify SSL decryption failures. The other options either do not relate to log files or do not provide the necessary details about SSL decryption failures.
A Always from the traffic log. Whether it is drilling down into traffic log details or enabling the decryption column. Acquaint yourself with this reference: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/verify-decryption.html
The question is about "log file" and SSL decrypt failures. ACC isn't a log file. SLL decrypt failures you can see on Decryption log and in Traffic log (Session End Reason column)
B: Is the correct answer. ACC>SSL Activity>Decryption failure reasones Give you the information about the failure. Traffic log can you verify if the treffic is encrypted or not. There are no details about the failure.
Confirmed that the answer is A Traffic. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/verify-decryption.html
B - as from PAN-OS 10, troubleshooting SSL in done in the following process: 1. Check ACC decryption widgets to identify traffic that causes decryption issues 2. Drill down further using the Decryption Log. It is not A because that simply tells you if the traffic was or was not decrypted. It does not in any way provide you with a means for troubleshooting. The question is asking you to troubleshoot. Read "Troubleshoot and Monitor Decryption" for PAN-OS 10. It clearly lists your troubleshooting process for SSL decryption issues https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption.html
The Question is simply asking which 'log file' lists/identifies decrypt failures, not how and where do I troubleshoot them... The Application Command Center (ACC) is an analytical tool, not a log file. The only answer that makes sense is A Traffic log.
Also, the PCNSE 9 exam covers PANOS 9.1, not PANOS 10
I am going to go with B https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/investigate-decryption-failure-reasons WHat people are selecting is for validating if decryption was used, but not for specific failures.
From this article: "To investigate decryption errors, start with the Application Command Center (ACC) to identify failures and then go to the Decryption logs to drill down into details." So, the real answer might be the Decryption logs, which. of course, is not an option. LOL.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/verify-decryption
A because ACC isn't a log file
I think that correct answer is B PANOS Guide. Investigate Decryption Failure Reasons Begin your investigation at ACC>SSL Activity and look at the Decryption Failure Reasons widget https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/investigate-decryption-failure-reasons.html#id1eee110d-3799-45ef-a4b0-e5e7fbd157af
There is a thing that dizzies me... ACC isn't a log file
Dang it, I gotta read slower. I was looking why it wasn't that since 10.x has that great feature.
IMHO: A - traffic log specifically check session end reason where decrypted=yes and action=allowed. you'll see errors such as decrypt-error decrypt-cert-validation
B is correct according to the documentation. The most common reasons for decryption failures are TLS protocol errors, cipher version errors (client and server version mismatches and client and Decryption profile version mismatches), and certificate errors. To investigate decryption errors, start with the Application Command Center (ACC) to identify failures and then go to the Decryption logs to drill down into details. Option is is Traffic and NOT "Decryption logs" https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/investigate-decryption-failure-reasons
A is correct
ACC is not a log file . The question is about "Which log file", so A should be the correct one.
View Decrypted Traffic Sessions—Filter the Traffic Logs (MonitorLogsTraffic) using the filter ( flags has proxy ) https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/verify-decryption#id185BG0KL0W1
This flag is only for traffic that has been successfully decrypted. It will not help identify SSL decryption failures
Another tricky question, very common with PANW tests. While I agree with "A", if you go to "Monitor > Decryption" you will see an "Error" and "Error Index" column (if you don't see it, you can enable it). The Traffic log will only tell you if a session was decrypted or not, but no-decrypted traffic doesn't always mean a failure, it could often mean there's a decryption policy with action "no decrypt" or an SSL decryption exclusion or an error. Something to think about...
The following tools provide full visibility into the TLS handshake and help you troubleshoot and monitor your decryption deployment: ACC - SSL Activity Monitor - Logs - Decryption So as there is no Decryption listed as answer, ACC fits. Correct answer is: A
PCNSE is based on PANOS10 https://live.paloaltonetworks.com/t5/certification-articles/pcnse-and-pcnsa-exam-changes-with-10-0/ta-p/344832 Could be B: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/features-introduced-in-pan-os-10-0/decryption-features.html#ida1eb9d8c-515e-4e88-b217-1ebc025a45d4 "Use the new ACC features to identify traffic for which decryption causes problems and then use the new Decryption logs to drill down into details and solve the problem."
agree could be, again wording of question, clearly states "log file" ACC is not a log file. so brings back to A