A decryption profile allows you to perform checks on both decrypted traffic and traffic that you have excluded from decryption. Create a decryption profile to:
Block sessions using unsupported protocols, cipher suits, or sessions that require client authentication.
Block sessions based on certificate status, where the certificate is expired, is signed by an untrusted CA, has extensions restricting the certificate use, has an unknown certificate status, or the certificate status can’t be retrieved during a configured timeout period.
Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates.
After you create a decryption profile, you can attach it to a decryption policy rule; the firewall then enforces the decryption profile settings on traffic matched to the decryption policy rule.
Palo Alto Networks firewalls include a default decryption profile that you can use to enforce the basic recommended protocol versions and cipher suites for decrypted traffic.
Configure a Decryption Profile Rule
Objects > Decryption Profile,
or modify a decryption profile rule, and give the rule a descriptive
Allow the profile rule to be
across every virtual system on a firewall or every Panorama device group.
(Decryption Mirroring Only)
Configure Decryption Port Mirroring, enable an Ethernet
for the firewall to use to copy and forward decrypted traffic.
Decryption mirroring requires a decryption port mirror license.
SSL Forward Proxy
to configure settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption policy rule that is set to perform SSL Forward Proxy decryption.
SSL Inbound Inspection
to configure settings enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption policy rule that is set to perform SSL Inbound Inspection.
SSL Protocol Settings
to configure minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce for SSL traffic. These settings are active when this profile is attached to decryption policy rules that are set to perform either SSL Forward Proxy decryption or SSL Inbound Inspection.
Block and control traffic (for example, a URL category) for which you have disabled decryption.
and configure settings to validate certificates for traffic that is excluded from decryption.
These setting are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.
Block and control SSH traffic undergoing
SSH Proxy decryption.
and configure settings to enforce supported protocol versions and
These settings are active only when the decryption profile is attached to a decryption policy rule that decrypts SSH traffic.
Add the decryption profile rule to a decryption policy rule.
Traffic that the policy rules matches to is enforced based on the additional profile rule settings.
Policies > Decryption
Create a Decryption Policy Rule or modify an existing rule.
and select a
to block and control various aspects of the traffic matched to the rule.
The profile rule settings that are applied to matching traffic depend on the policy rule Action (Decrypt or No Decrypt) and the policy rule Type (SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy). This allows you to use the default decryption profile, standard decryption profile customized for your organization, with different types of decryption policy rules.