Create a Decryption Profile
A decryption profile allows you to perform checks on both decrypted traffic and traffic that you have excluded from decryption. Create a decryption profile to:
Block sessions using unsupported protocols, cipher suits, or sessions that require client authentication. Block sessions based on certificate status, where the certificate is expired, is signed by an untrusted CA, has extensions restricting the certificate use, has an unknown certificate status, or the certificate status can’t be retrieved during a configured timeout period. Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates.
After you create a decryption profile, you can attach it to a decryption policy rule; the firewall then enforces the decryption profile settings on traffic matched to the decryption policy rule.
Palo Alto Networks firewalls include a default decryption profile that you can use to enforce the basic recommended protocol versions and cipher suites for decrypted traffic.
Configure a Decryption Profile Rule
Select Objects > Decryption Profile, Add or modify a decryption profile rule, and give the rule a descriptive Name.
(Optional) Allow the profile rule to be Shared across every virtual system on a firewall or every Panorama device group.
(Decryption Mirroring Only) To Configure Decryption Port Mirroring, enable an Ethernet Interface for the firewall to use to copy and forward decrypted traffic. Decryption mirroring requires a decryption port mirror license.
(Optional) Block and control SSL tunneled and/or inbound traffic undergoing SSL Forward Proxy decryption or SSL Inbound Inspection. Select SSL Decryption: Select SSL Forward Proxy to configure settings to verify certificates, enforce protocol versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings are active only when this profile is attached to a decryption policy rule that is set to perform SSL Forward Proxy decryption. Select SSL Inbound Inspection to configure settings enforce protocol versions and cipher suites and to perform failure checks on inbound SSL traffic. These settings are active only when this profile is attached to a decryption policy rule that is set to perform SSL Inbound Inspection. Select SSL Protocol Settings to configure minimum and maximum protocol versions and key exchange, encryption, and authentication algorithms to enforce for SSL traffic. These settings are active when this profile is attached to decryption policy rules that are set to perform either SSL Forward Proxy decryption or SSL Inbound Inspection.
(Optional) Block and control traffic (for example, a URL category) for which you have disabled decryption. Select No Decryption and configure settings to validate certificates for traffic that is excluded from decryption. These setting are active only when the decryption profile is attached to a decryption policy rule that disables decryption for certain traffic.
(Optional) Block and control SSH traffic undergoing SSH Proxy decryption. Select SSH Proxy and configure settings to enforce supported protocol versions and These settings are active only when the decryption profile is attached to a decryption policy rule that decrypts SSH traffic.
Add the decryption profile rule to a decryption policy rule. Traffic that the policy rules matches to is enforced based on the additional profile rule settings. Select Policies > Decryption and Create a Decryption Policy Rule or modify an existing rule. Select Options and select a Decryption Profile to block and control various aspects of the traffic matched to the rule. The profile rule settings that are applied to matching traffic depend on the policy rule Action (Decrypt or No Decrypt) and the policy rule Type (SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy). This allows you to use the default decryption profile, standard decryption profile customized for your organization, with different types of decryption policy rules. Click OK.
Commit the configuration.

Related Documentation