Identify & Control Encrypted Traffic.
Take control of your SSL/TLS and SSH encrypted traffic and ensure it is not being used to conceal unwanted activity or dangerous content. Using policy-based decryption and inspection, you can confirm that SSL and SSH are being used for business purposes only, instead of to spread threats or unauthorized data transfer.
Watch this video to learn how you can control encrypted traffic.
Learn more about our security platform.
Identify, control and inspect inbound SSL/TLS traffic.
Policy-based identification, decryption, and inspection of inbound SSL traffic (from outside clients to internal servers) can be applied to ensure that applications and threats are not hiding within SSL traffic. A server certificate and private key are installed on Palo Alto Networks next-generation firewalls to handle decryption. By default, SSL decryption is disabled.
Identify, control and inspect outbound SSL/TLS traffic.
Policy-based identification, decryption and inspection of outbound SSL traffic (from users to the web) can be applied to make sure that applications and threats are not hiding within SSL traffic. Our firewalls use a 'man-in-the-middle' approach in which device certificates are installed in the user's browser. By default, SSL decryption is disabled.
Offload SSL/TLS traffic for additional analysis and archiving.
If your organization requires comprehensive data capture for forensic and historical purposes or data leak prevention (DLP) functionality, you can use port mirroring to forward a copy of SSL traffic to a 3rd party solution such as NetWitness or Solera more granular analysis or archiving purposes. Supported only on the PA-7050, PA-5000 Series and the PA-3000 Series.
Simplify SSL/TLS certificate signing and management process.
You can utilize dedicated hardware security modules (HSM) to manage the certificate signing functions for SSL forward proxy, SSL inbound inspection, and the master key storage functions. HSM support is generally required when FIPS 140-2 Level 3 protection for CA keys is required.
- Supported HSMs: SafeNet Luna SA and Thales Nshield Connect.
- Platforms supported: PA-7050, PA-5000 Series, PA-4000 Series, PA-3000 Series, VM-Series and the M-100 management appliance.
Identify and control SSH traffic.
Our enterprise security platform gives you policy-based identification and control of SSH tunneled traffic. A 'man-in-the-middle' approach is used to detect port forwarding or X11 forwarding within SSH as an SSH-tunnel, while regular shell, SCP and SFTP access to the remote machine is reported as SSH. By default, SSH control is disabled.