How to View SSL Decryption Information from the CLI

Procedure

Overview

This document describes how to view SSL Decryption Information from the CLI.

Details

The following show system setting ssl-decrypt commands provide information about the SSL-decryption on the Palo Alto Networks device:

Show the list of ssl-decrypt certificates loaded on the dataplane
> show system setting ssl-decrypt certificate
Show the list of cached certificates loaded on the dataplane
> show system setting ssl-decrypt certificate-cache
Show the list of cached DNS entries
> show system setting ssl-decrypt dns-cache
Show the list of cached servers excluded from decryption
> show system setting ssl-decrypt exclude-cache
Show the list of Global Protect cookies
> show system setting ssl-decrypt gp-cookie-cache
Show the list of HSM requests
> show system setting ssl-decrypt hsm-request
Show the SSL decryption memory usage
> show system setting ssl-decrypt memory
Show the list of users who's notify option (whether to notify them of SSL decryption or not) has been cached. If the cache is on, the user will not be notified every time they browse to an encrypted site.
> show system setting ssl-decrypt notify-cache
Show URL rewrite statistics
> show system setting ssl-decrypt rewrite-stats
Show the list of cached sessions
> show system setting ssl-decrypt session-cache
Show ssl-decryption settings
> show system setting ssl-decrypt setting

To display the count of decrypted sessions

    > show session all filter ssl-decrypt yes count yes
    
    Number of sessions that match filter: 2758

To view the decrypted sessions

> show session all filter ssl-decrypt yes

To clear the decrypted sessions

> clear session all filter ssl-decrypt yes

To reset the ssl-decrypt cache

> debug dataplane reset ssl-decrypt <option>

certificate-cache Clear all ssl-decrypt certificate cache in dataplane
certificate-status Clear all ssl-decrypt certificate CRL status cached in dataplane
dns-cache Clear ssl-decrypt DNS cache
exclude-cache Clear all exclude cache in dataplane
hsm-cache Clear all ssl-decrypt HSM request in dataplane
notify-cache Clear all ssl-decrypt notify-user cache in dataplane
rewrite-stats Clear URL rewrite cache
session-cache Clear all ssl-decrypt session cache in dataplane

The following command checks for any SSL decryption related failures

    >show counter global | match proxy
    
    proxy_process 1205 0 info proxy pktproc Number of flows go through proxy
    
    proxy_no_process 453 0 info proxy pktproc Number of flows donot go through proxy
    
    proxy_wqe_held 253 0 info proxy resource Number of wqe held by proxy for notify answer
    
    proxy_excluded 78 0 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion
    
    proxy_client_hello_failed 4 0 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed
    
    proxy_url_request_pkt_drop 24 0 info proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy
    
    proxy_url_category_unknown 435 0 info proxy pktproc Number of sessions checked by proxy with unknown url category
    
    url_session_not_in_ssl_wait 4 0 error url system The session is not waiting for url in ssl proxy
    
    proxy_url_request_pkt_drop               266        0 drop      proxy     pktproc   The number of packets get dropped because of waiting for url category request in ssl proxy
    
    proxy_timer_del_session_added     4 0 info   proxy pktproc   Number of timers added for deleting proxy host connection
    
    proxy_timer_del_sessions         4 0 info   proxy pktproc   Number of proxy host connections deleted due to timer
    
    proxy_proxy_host_not_connected   15 0 warn   proxy pktproc   Number of packets proxy_host tried to receive or transmit when not connected
    
    url_session_not_in_ssl_wait     40 0 error  url   system    The session is not waiting for url in ssl proxy