Inspect and control SSL/TLS and SSH encrypted traffic with Palo Alto Networks next-generation firewalls. Our decryption capabilities allow you to stop threats that would otherwise remain hidden in encrypted traffic, and also to help prevent sensitive content from leaving your organization.

What traffic gets decrypted is under your control (based on organizational or legal requirements), and user notification and opt out options are available. Copies of decrypted traffic can also be “mirrored” to DLP or forensics/compliance systems. The firewall can also enforce the use of strong encryption options, including specific cipher suites and protocol versions.

Decryption Techniques

SSL/TLS decryption is supported via two mechanisms. For SSL/TLS outbound (i.e., connection initiated by internal client to external server), a man-in-the-middle “forward proxy” is implemented. Certificates are used to establish trust and create secure connections. For SSL/TLS inbound (external client to internal server), “inbound inspection” is accomplished by the firewall, leveraging server certificate information.

You can also utilize dedicated hardware security modules (HSMs) to manage certificate signing and master key storage (e.g., to meet FIPS protection requirements)*.

SSH traffic (irrespective of direction) is decrypted via a man-in-the-middle “SSH proxy” approach.


*HSM integration available on the PA-7000 Series, PA-5000 Series, PA-3000 Series, VM-Series, and Panorama products


Controlling Decryption

Decryption can be controlled (enabled or disabled) selectively based on: URL category, source, destination, user, user group and port. Control is configured via decryption policies in the firewall. For connections that match decryption enabling policies, an option to allow users to “opt out” is available (if a user opts out, the session will be terminated).

In addition to decryption policies (that specify which connections to decrypt), decryption profiles can be assigned to control various options for sessions controlled by the policy. For example, the use of specific cipher suites and encryption protocol versions can be required. 

Controlling Decrypted Traffic

Once SSL/TLS traffic is selectively decrypted, it is then subject to normal App-ID™ and security policy enforcement (including threat prevention, transfer to WildFire™, URL filtering, and file blocking profiles). The traffic is then re-encrypted as it exits the firewall (bound for either the server or client).

Decrypted SSH traffic is not subject to content or threat inspection, but SSH tunneling (port forwarding) can be detected, and then blocked, depending on the configured security policy.


Decryption Port Mirroring

Copies of decrypted traffic can be “mirrored” to a configured firewall interface*. This is useful for integrating third-party DLP or forensics/compliance systems. Options are available to mirror all decrypted firewall traffic or only the traffic forwarded by the firewall after application of all security policies.


*Decryption port mirroring available on the PA-7000 Series, PA-5000 Series, and PA-3000 Series


PA-7000 Series Specsheet

Key features, performance capacities and specifications for our PA-7000 Series.

Palo Alto Networks, Santa Clara, CA
  • 13
  • 44443

VM-Series for VMWare

Key features, performance capacities and specifications of VM-Series for VMWare.

  • 1
  • 14919

VM-Series on VMware NSX

Key features, performance capacities and specifications of VM-Series on VMware® NSX.

  • 0
  • 999

VM-Series on KVM

Key features, performance capacities and specifications of VM-Series on KVM.

  • 4
  • 7355

Post-Evanta Dinner

Please join Palo Alto Networks after the Evanta's SoCal CISO Solutions Tour for happy hour & dinner at Patina, right next door to LA Music Center, Dorothy Chandler Pavilion on Dec 13th. This should be a great way to wind down the day, and continue the meaningful dialogue that will no doubt take place throughout the conference. Our CIO, Naveen Zutshi, will be conducting an interview style conversation with UCLA Health's CTO, Bill Lazarus. There's no organization safe from cybersecurity threats, but the healthcare vertical has been especially targeted for many of the reasons we already know. Bill will be talking about a variety of topics ranging from zero trust to their testing of AWS public cloud, however, he's most interested in having a dynamic conversation and open to any questions throughout his talk. We look forward to having you participate in the session and rounding out your time investment. We'll plan on starting happy hour upon conclusion of the Solutions Tour reception, and since we have the entire restaurant reserved, we can stay flexible on when things wrap up (according to agenda, around 4:30ish). We estimate that dinner will run until about 7:30 or 8:00. See you there!

In Person Event
Los Angeles, CA
  • 0
  • 485

AWS Reference Architecture

This guide provides a foundation for securing network infrastructure using Palo Alto Networks® VMSeries virtualized next generation firewalls within the Amazon Web Services (AWS) public cloud.

  • 0
  • 446