>
    Strata Copilot
    Decryption Policy Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Decryption Basics
    5. Decryption Policy Rules
    Download PDF
    Network Security

    Decryption Policy Rules

    Table of Contents

    Decryption Policy Rules

    Decryption policy rules dictate how NGFW and Prisma Access decrypt traffic and are the basis of a decryption policy.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    No requirements.
    Decryption policy rules define how Next-Generation Firewalls (NGFW) and Prisma Access handle encrypted traffic. These rules specify criteria for traffic that is or isn't decrypted and the type of decryption performed on this traffic. One or more decryption policy rules form a decryption policy. You can specify decryption criteria using network and policy objects. For example, you can decrypt traffic from specific users, URL categories, or specific sources or destinations. The types of traffic subject to decryption or the enforcement of decryption policy rules include SSL/TLS traffic (including SSL-encapsulated protocols like IMAP(S), POP3(S), SMTP(S), and FTP(S)) and SSH traffic, whether incoming or outgoing from your network. NGFW and Prisma Access support three types of decryption: SSL Forward Proxy, SSL Inbound Inspection, and SSH Proxy.
    SSH Proxy is not supported by Strata Cloud Manager.
    The settings in a decryption policy rule allow for precise application of rules to different users, groups, segments. For example, you can decrypt traffic to certain URL categories involving certain zones when a certain user is requesting resources. In summary, creating decryption policy rules that match traffic based on these criteria allows you to implement highly effective and efficient security measures.

    Components of a Decryption Policy Rule

    Decryption policy rules enable you to specify the traffic you want to decrypt based on destination, source, service, or URL category. You also define how you want to decrypt that traffic, by applying a decryption profile with additional settings, for example, and log settings. Each setting type corresponds to a different area of the interface, which may have slightly different names depending on your management platform:
    • Source
    • Destination
    • Service/URL Category (or Services and URLs)
    • Options (or Action and Advanced Inspection)
    • Log Settings
    By specifying traffic based on IP addresses, ports, and protocols, and other characteristics you can optimize the use of decryption resources, providing an additional layer of protection where it's most needed.

    General

    In this section, enter basic information about the decryption policy rule, including the Name and Description (helpful for differentiating between rules or various users). You can also add Tags, and depending on your management platform, group rules by tags, add audit comments, and view audit comments.

    Source

    Enforce traffic based on its origin. In this section, specify the source zone or source address that defines the incoming source traffic to which the decryption policy rule will apply. Select or Add a Zone, Addresses–Source Address, Address Groups, External Dynamic Lists, Regions, Users–User Groups and Users, or Devices, including HIP Profiles and Device Profiles. For more information on zones, see Segment Your Network Using Interfaces and Zones.

    Destination

    Enforce traffic based on where it terminates. In this section, specify the destination zone or destination address of the traffic to which the rule will apply. You can add Zones and Addresses–Source Address, Address Groups, External Dynamic Lists, Regions, and SaaS Application Endpoints.

    Service/URL Category (Services and URLs)

    Apply a rule based on service (port and protocols) and URL categories. In this section, define Service Entities–Services and Service Groups and URL Category Entities–URL Categories, External Dynamic Lists, and SaaS Application Endpoints. You can exclude a certain website or category of websites or applications from decryption using a predefined or custom URL category. Services correspond to the TCP and UDP port numbers used by the service.

    Options (Action and Advanced Inspection)

    Choose whether to decrypt the traffic that matches a decryption policy rule and specify the type of decryption you want to enable. In this section, specify the type of decryption the rule performs (Action or Type). For traffic you choose not to decrypt, you can Enforce TLS and Certificate Validation. You can also configure decryption log settings (if not Strata Cloud Manager), described more in Log Settings, and use a decryption profile to block and control certain aspects of the traffic matching the rule it's applied to. For example, you can use a decryption profile to perform checks and verification on sessions, certificates, and protocol versions.

    Log Settings

    In NGFW deployments not managed by Strata Cloud Manager, this information is configured in the Options section of the configuration.
    In this section, enable the logging of successful or unsuccessful handshakes and configure External Log Forwarding. Decryption logs save locally if an external forwarding option isn't selected. You must also have a license for the forwarding service. For more information about decryption logging, see Configure Decryption Logging.

    Decryption Policy Rule Considerations

    A well-designed decryption policy balances security concerns and other requirements and intentionally decrypts, blocks, or allows different traffic. Remember, you can't block traffic that you don't inspect, but you want to avoid unnecessarily blocking legitimate traffic. The traffic you choose to decrypt is as important as the traffic you choose not to decrypt.
    Consider the following before, during, and after you've created decryption policy rules:
    • Regulatory compliance requirements
    • Privacy concerns
    • Performance impact
    • Specific security needs
    A Zero Trust perspective advocates for inspecting all traffic for malware and other threats. Various controls are available to implement this approach effectively while respecting the above requirements.
    Before creating a decryption policy rule, develop a decryption strategy that:
    • Identifies and prioritizes traffic to decrypt. This helps you to address resource consumption concerns and decryption efficiency. For example, you can prioritize decrypting traffic to and from specific users or groups.
    • Identifies traffic that you don't want to decrypt for business, legal, or privacy reasons, such as that of business executives.
    • Recognizes traffic that can't be decrypted due to technical limitations such as a pinned certificate.
    Use the Planning a Decryption Deployment chapter and the Decryption Best Practices guide as resources when making decisions about what you decrypt and how to approach decryption.
    • Decrypt as much nonprivate and nonsensitive traffic as your NGFW and Prisma Access resources permit. This reduces the attack surface by exposing and preventing encrypted threats.
    • Involve legal, finance, HR, executives, security, IT, and other stakeholders in the development of your decryption deployment strategy.
    Make Policy Rules As Specific and General As Needed and Order Them Appropriately. Many Palo Alto Networks services rely on decryption. It's important to make sure that decryption policy rules are as specific or general as needed and ordered appropriately.
    • Decryption policy rules are evaluated from top to bottom. Place specific rules before more general rules.
    • Place rules that exclude traffic from decryption at the top. Decryption policy rules are compared against the traffic in sequence.
    Exclude Certain Traffic from Decryption.
    For granular control over how the traffic is decrypted, create and apply decryption profilesto decryption policy rules.

    © 2026 Palo Alto Networks, Inc. All rights reserved.