Policies > Decryption
You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption policies can apply to Secure Sockets Layer (SSL) including SSL encapsulated protocols such as IMAP(S), POP3(S), SMTP(S), and FTP(S), and Secure Shell (SSH) traffic. SSH decryption can be used to decrypt outbound and inbound SSH traffic to assure that secure protocols are not being used to tunnel disallowed applications and content.
Add a decryption policy rule to define traffic that you want to decrypt (for example, you can decrypt traffic based on URL categorization). Decryption policy rules are compared against the traffic in sequence, so more specific rules must precede the more general ones.
SSL forward proxy decryption requires the configuration of a trusted certificate that will be presented to the user if the server to which the user is connecting possesses a certificate signed by a CA trusted by the firewall. Create a certificate on the Device > Certificate Management > Certificates page and then click the name of the certificate and select Forward Trust Certificate.
Certain applications will not function if they are decrypted by the firewall. To prevent this from occurring, PAN-OS will not decrypt the SSL traffic for these applications and the decryption rule settings will not apply.For a list of these applications, refer to support article located at: https://live.paloaltonetworks.com/docs/DOC-1423.
The following tables describe the decryption policy settings:
Looking for more?
See Decryption .
Decryption General Tab
Select the General tab to configure a name and description for the decryption policy. A tag can also be configured to allow you to sort or filter policies when a large number of policies exist.
Field Description
Name Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
Description Enter a description for the rule (up to 255 characters).
Tag If you need to tag the policy, click Add to specify the tag. A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you may want to tag certain security policies with Inbound to DMZ, decryption policies with the words Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.
Decryption Source Tab
Select the Source tab to define the source zone or source address that defines the incoming source traffic to which the decryption policy will be applied.
Field Description
Source Zone Click Add to choose source zones (default is any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to Network > Zones. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.
Source Address Click Add to add source addresses, address groups, or regions (default is any). Select from the drop-down, or click Address, Address Group, or Regions at the bottom of the drop-down, and specify the settings. Select Negate to choose any address except the configured ones.
Source User Click Add to choose the source users or groups of users subject to the policy. The following source user types are supported: any —Include any traffic regardless of user data. pre-logon —Include remote users that are connected to the network using GlobalProtect, but are not logged into their system. When the Pre-logon option is configured on the Portal for GlobalProtect clients, any user who is not currently logged into their machine will be identified with the username pre-logon. You can then create policies for pre-logon users and although the user is not logged in directly, their machines are authenticated on the domain as if they were fully logged in. known-user —Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the “domain users” group on a domain. unknown —Includes all unauthenticated users, which means IP addresses that are not mapped to a user. For example, you could use unknown for guest level access to something because they will have an IP on your network, but will not be authenticated to the domain and will not have IP to user mapping information on the firewall. Select —Includes selected users as determined by the selection in this window. For example, you may want to add one user, a list of individuals, some groups, or manually add users. If you are using a RADIUS server and not the User-ID Agent, the list of users does not display; you must enter user information manually.
Decryption Destination Tab
Select the Destination tab to define the destination zone or destination address that defines the destination traffic to which the policy will be applied.
Field Description
Destination Zone Click Add to choose destination zones (default is any). Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to Network > Zones. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.
Destination Address Click Add to add destination addresses, address groups, or regions (default is any). Select from the drop-down, or click Address, Address Group, or Regions at the bottom of the drop-down, and specify the settings. Select Negate to choose any address except the configured ones.
Decryption Service/URL Category Tab
Select the Service/URL Category tab to apply the decryption policy to traffic based on TCP port number or to any URL category (or a list of categories).
Field Description
Service Apply the decryption policy to traffic based on specific TCP port numbers. Choose one of the following from the drop-down: any —The selected applications are allowed or denied on any protocol or port. application-default —The selected applications are decrypted (or are exempt from decryption) only on the default ports defined for the applications by Palo Alto Networks. Select —Click Add. Choose an existing service or specify a new Service or Service Group. (Or select Objects > Services and Objects > Service Groups).
URL Category Tab Select URL categories for the decryption rule. Choose any to match any sessions regardless of the URL category. To specify a category, click Add and select a specific category (including a custom category) from the drop-down. You can add multiple categories. Refer to for information on defining custom categories.
Decryption Options Tab
Select the Options tab to determine if the matched traffic should be decrypted or not. If Decrypt is set, specify the decryption type. You can also add additional decryption features by configuring or selecting a decryption profile.
Field Description
Action Select decrypt or no-decrypt for the traffic.
Type Select the type of traffic to decrypt from the drop-down: SSL Forward Proxy —Specifies that the policy will decrypt client traffic destined for an external server. SSH Proxy —Specifies that the policy will decrypt SSH traffic. This option allows you to control SSH tunneling in policies by specifying the ssh-tunnel App-ID. SSL Inbound Inspection —Specifies that the policy will decrypt SSL inbound inspection traffic.
Decryption Profile Attach a decryption profile to the policy rule in order to block and control certain aspects of the traffic. For details on creating a decryption profile, select Objects > Decryption Profile.

Related Documentation