Inspect and control SSL/TLS and SSH encrypted traffic with Palo Alto Networks next-generation firewalls. Our decryption capabilities allow you to stop threats that would otherwise remain hidden in encrypted traffic and also prevent sensitive content from leaving your organization.

What traffic gets decrypted is under your control (based on organizational or legal requirements), and user notification and opt out options are available. The firewall can also enforce the use of strong encryption options, including specific cipher suites and protocol versions.

Controlling Decryption

Decryption can be controlled (enabled or disabled) selectively based on: URL category, source, destination, user, user group and port. Control is configured via decryption policies in the firewall. For connections that match decryption enabling policies, an option to allow users to “opt out” is available (if a user opts out, the session will be terminated).

In addition to decryption policies (that specify which connections to decrypt), decryption profiles can be assigned to control various options for sessions controlled by the policy. For example, the use of specific cipher suites and encryption protocol versions can be required. 

Controlling Decrypted Traffic

Once SSL/TLS traffic is selectively decrypted, it is then subject to normal App-ID™ and security policy enforcement (including threat prevention, transfer to WildFire®, URL filtering, and file blocking profiles). The traffic is then re-encrypted as it exits the firewall (bound for either the server or client).

Decrypted SSH traffic is not subject to content or threat inspection, but SSH tunneling (port forwarding) can be detected, and then blocked, depending on the configured security policy.


Decryption Broker: Simple and Secure

The next-generation firewall Decryption Broker, an innovation introduced with PAN-OS 8.1, overcomes the challenges of supporting devices that complement next-generation firewalls. Now you can decrypt once and share decrypted traffic with other devices easily. All complementary devices are inline, enabling enforcement on each device and maximizing security. The Decryption Broker is a natural extension to decryption on the next-generation firewall, simplifying the management and troubleshooting of the solution.

Learn more


Selective SSL Decryption for Threat Prevention

This paper provides an approach to strike a balance between security and performance by selectively decrypting and inspecting SSL traffic based on policy.

  • 0
  • 6222

SSL Decryption - using Next Generation Firewalls to control this growing blind spot

SSL Decryption - using Next Generation Firewalls to control this growing blind spot.

  • 0
  • 2704

Decrypting SSL for Traffic Inspection

SSL is a growing category of network traffic that delivers private and secure communications. However, it can also be used inappropriately to hide application usage, transfer data to unauthorized parties, and mask malicious activity.

  • 2
  • 1653