Safely enable applications, prevent successful cyberattacks

Protect your users without sacrificing privacy

Take advantage of the advanced decryption capabilities of our next-generation firewalls and PAN-OS® to increase visibility and prevent attacks while preserving privacy.


Find the hidden threats in your traffic

Encrypted traffic is on an explosive upturn. Cyber adversaries are using encryption to hide from security surveillance and bypass security controls. What this means is even businesses with mature security measures in place can be breached if they’re not securing encrypted traffic.

Next-generation firewalls from Palo Alto Networks® decrypt, inspect and then re-encrypt network traffic before it is sent to its destination. This provides visibility into encrypted traffic and controls to safely enable applications while preventing hidden threats, attacks and data leakage.


Use policy-based decryption on your next-generation firewall

Security professionals must be able to stop threats hidden in encrypted traffic while preserving the privacy of legitimate users.

Palo Alto Networks next-generation firewalls use policy-based decryption. It’s flexible enough that certain types of encrypted traffic can be left alone to comply with privacy standards and regulations (for example, traffic from known banking or healthcare organizations), while all other traffic can be decrypted and inspected.


Decryption controls

Enforce decryption based on URL category, source, destination, user, user group and port. For decrypted traffic, an “opt out” option is available, terminating the session. In addition, you can enforce the use of safe cipher suites and encryption protocol versions.


Securing encrypted traffic

Once traffic is selectively decrypted, it is then subject to security policy enforcement to enable users to access the right data and applications while preventing known and unknown threats. The traffic is then re-encrypted before it exits the firewall.

View Best Practices

Decryption Broker: Simple and Secure

The next-generation firewall Decryption Broker overcomes the challenges of supporting devices that complement next-generation firewalls. Now you can decrypt once and share decrypted traffic with other devices easily. All complementary devices are inline, enabling enforcement on each device and maximizing security. The Decryption Broker is a natural extension to decryption on the next-generation firewall, simplifying the management and troubleshooting of the approach.