Advances in Decryption with PAN-OS 10.0

Aug 20, 2020
3 minutes

During the launch of the world’s first ML-Powered NGFW with PAN-OS 10.0, we were excited to hear from thousands of customers, many of whom joined us during virtual events for questions and discussion. Some of the questions we’ve received center around advances in decryption features introduced in PAN-OS 10.0, and I’d like to elaborate on this particular functionality. 

Our customers have been using the decryption capabilities available in PAN-OS over the last 10 years, but the need for simplifying decryption has recently become even more critical. Luckily, PAN-OS 10.0 includes advances in decryption to match the growing challenges for organizations. 


Increasing Encryption Raises Security Concerns

Encrypted data has exploded to around 95% of enterprise traffic. With increasing concerns about end-user privacy, major browsers, content providers and web developers are embracing encryption and pushing for its use on all web properties. While this is great news for the end user, here’s the problem: Encryption provides confidentiality and privacy, but it does not guarantee the presence of security, and it presents the perfect opportunity for malware to hide. It’s expected that this year 70% of malware will use encryption to evade security measures

We’ve been hearing from our customers that they see an order of magnitude increase in encrypted traffic, primarily driven by the adoption of public cloud and SaaS applications, which increasingly adopt HTTP/2 over TLS and modern encryption protocols like TLS1.3. The combination of increasing encryption and the security concerns it brings has put deploying decryption projects center stage for most organizations. 


How You Can Deploy Decryption Where It’s Needed

The new innovations in PAN-OS 10.0 address the importance of decryption for our customers by making it easy for you to deploy decryption where it’s needed, and by delivering complete visibility into the details of all your encrypted connections to help you implement and operationalize decryption. This visibility empowers you to roll out decryption in a safe and straightforward way that actually works. Here are some of the decryption features in PAN-OS 10.0:

  • Simplified implementation of decryption policies to provide comprehensive visibility. 
  • Support for TLS 1.3 without downgrading to older insecure protocols.
  • Support for HTTP/2 over TLS.
  • Enhanced performance boost on decryption. We’ve also released a new Data Processing Card (DPC) for the PA-7000 series, which offers 33% more compute power than the 100G NPC card, enabling an even further performance boost.
  • The ability to leverage a variety of mechanisms such as URL categorization to prioritize what to decrypt for security criticality and privacy.

Now you can more quickly implement decryption policies to provide comprehensive visibility and prevent known and unknown threats via the NGFW. You get enhanced security and all the tools you need to overcome the obstacles and challenges posed by decryption to successfully roll out TLS decryption projects, adopt security best practices quickly, and use all the benefits offered by our Next-Generation Firewall to mitigate risks. 

To see the workings of these new innovations firsthand, watch this demonstration, where Mandeep Singh Sandhu shares how you can easily:  

- Mitigate security risks by controlling the use of legacy TLS protocols.

- Deploy decryption using purpose-built troubleshooting and visibility capabilities.

- Secure cloud apps that use modern versions of protocols such as TLS 1.3 and HTTP/2.

To learn more about all the topics and questions discussed, view the full LinkedIn Live Q&A session on Intelligent Network Security.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.