Palo Alto has a field called “flags”. It can have several hex type entries, but what I’m interested in is whether or not a session was decrypted, and this is the field that indicates that. What I could use a little help on, then I can go deeper, is how do I tell a field to return something usable basically say; if the ‘flags’ field is 0x100000 then show me the words “Not Decrypted” and if ‘flags’ field is 0x1500000 then show me “Decrypted”. Past that, and with the syntax, I can build further. I’m guessing it’s a eval command, but can’t figure it out.
help an amateur out? :)
↧