SSL/TLS decryption is supported via two mechanisms. For SSL/TLS outbound (i.e., connection initiated by internal client to external server), a man-in-the-middle “forward proxy” is implemented. Certificates are used to establish trust and create secure connections. For SSL/TLS inbound (external client to internal server), “inbound inspection” is accomplished by the firewall, leveraging server certificate information.
You can also utilize dedicated hardware security modules (HSMs) to manage certificate signing and master key storage (e.g., to meet FIPS protection requirements)*.
SSH traffic (irrespective of direction) is decrypted via a man-in-the-middle “SSH proxy” approach.
*HSM integration available on the PA-7000 Series, PA-5000 Series, PA-3000 Series, VM-Series, and Panorama products
Controlling Decrypted Traffic
Once SSL/TLS traffic is selectively decrypted, it is then subject to normal App-ID™ and security policy enforcement (including threat prevention, transfer to WildFire™, URL filtering, and file blocking profiles). The traffic is then re-encrypted as it exits the firewall (bound for either the server or client).
Decrypted SSH traffic is not subject to content or threat inspection, but SSH tunneling (port forwarding) can be detected, and then blocked, depending on the configured security policy.