>
    Strata Copilot
    Apply Granular Settings to Traffic Matching a Decryption Policy Rule
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Enable Decryption
    5. Apply Granular Settings to Traffic Matching a Decryption Policy Rule
    Download PDF
    Network Security

    Apply Granular Settings to Traffic Matching a Decryption Policy Rule

    Table of Contents

    Apply Granular Settings to Traffic Matching a Decryption Policy Rule

    Define protocol versions, algorithms, certificate verification, and other settings in a decryption profile for traffic meeting the criteria in associated decryption policy rules.
    Where Can I Use This?What Do I Need?
    No separate license required for decryption when using NGFWs or Prisma Access.
    Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
    Configure a decryption profile to define TLS handshake settings or session controls for traffic that you decrypt or intentionally exclude from decryption. Decryption profiles enable granular control over decrypted and nondecrypted sessions, so you can tailor decryption policy rules to meet security and compliance requirements. After you apply a decryption profile to decryption policy rules, the Next-Generation Firewall (NGFW) enforces the profile settings on traffic matching all the criteria in the rule.
    Each type of decryption profile has different settings to configure.
    • SSL/TLS Decryption Profile (SSL Forward Proxy and SSL Inbound Inspection)—Use to specify supported TLS versions and cipher suites, block sessions based on checks for unsupported modes, session failure, and certificate validity, and configure additional settings.
      Starting in PAN-OS 12.1.2, you can enable post-quantum cryptography (PQC) algorithms for TLSv1.3 sessions.
    • No-Decryption Profile—Use to verify server certificates and certificate issuer trustworthiness for traffic that bypass decryption for compliance, legal, and nontechnical reasons and refuse connections to servers with expired or untrusted certificates. This mitigates the risk of users connecting to malicious or questionable. Apply these profiles only to decryption policy rules with a no-decrypt action.
      TLSv1.3 encrypts certificates during the TLS handshake, preventing the NGFW from blocking TLSv1.3 sessions based on certificate information. As a result, applying a no-decryption profile that only supports TLSv1.3 to a no-decryption policy rule has no functional effect beyond the logging provided by the policy rule itself. For no-decryption profiles that support other TLS versions including TLSv1.3, the NGFW only enforces certificate checks for TLSv1.2 and earlier sessions but logs all sessions.
    • SSH Proxy Profile—Use to block sessions based on checks for unsupported modes and session failures.
    If an NGFW is in FIPS-CC mode and managed by a Panorama™ management server in standard mode, a decryption profile must be created locally on the NGFW. Decryption profiles created on Panorama in standard mode contain references to the 3DES and RC4 encryption algorithms and the MD5 authentication algorithm that aren't supported and cause pushes to managed NGFWs to fail.

    Best Practices and Considerations for Decryption Profiles

    • Always apply a decryption profile to decryption policy rules to protect your network against sessions with expired certificates or untrusted issuers. You can’t protect yourself against threats you can’t see.
    • Use the strongest ciphers that you can. Weak protocols and weak algorithms contain known vulnerabilities that attackers can exploit. Set Min Version to TLSv1.3 and Max Version to Max to block weak protocols.
    • Create separate decryption profiles when necessary to maximize security, and reuse profiles where applicable:
      • For example, suppose a key partner or contractor uses legacy systems with weak protocols or algorithms. You can create a decryption profile that allows the weaker protocols or algorithms and attach it to a decryption policy rule that applies only to the relevant traffic (for example, the source IP address of the partner).
      • If you need to allow client authentication, create a decryption profile with client authentication settings, and apply it only to decryption policy rules for traffic that requires client authentication.
        Create separate profiles with protocol settings that match the capabilities of the servers whose inbound or outbound traffic you are inspecting.
    • Many mobile applications use pinned certificates. Because TLSv1.3 encrypts certificate information, the NGFW can’t automatically add these applications to the SSL Decryption Exclusion list. As a result, if you enable TLSv1.3, the NGFW may drop some mobile applications. For these applications, you can either set the maximum TLS version to TLSv1.2 or create a no-decryption policy rule specifically for this traffic.
    • For SSL Forward Proxy traffic and traffic that you choose not to decrypt, configure both certificate revocation list (CRL) and Online Certificate Status Revocation (OCSP) certificate revocation checks.
    Best Practices By Profile Type
    SSL Forward Proxy
    • Block sessions with expired certificates
    • Block sessions with untrusted issuers
    • Block sessions with unsupported protocol versions
    • Block sessions with unsupported cipher suites
    • Block sessions with client authentication
    SSL Inbound Inspection
    • Block sessions with unsupported versions
    • Block unsupported cipher suites
    No Decryption
    • Block sessions with expired certificates
    • Block sessions with untrusted issuers
    SSH Proxy
    • Block sessions with unsupported versions
    • Block sessions with unsupported algorithms
    For more best practice insights, see Deploy SSL Decryption Using Best Practices.

    Apply Granular Settings to Traffic Matching a Decryption Policy Rule (Strata Cloud Manager)

    1. Create a decryption profile.
      1. Select ConfigurationSecurity ServicesDecryption.
      2. Under Decryption Profiles, click Add Profile.
      3. Enter a descriptive Name for the profile.
        Names are case-sensitive and must be unique. You can use up to 31 characters, including letters, numbers, spaces, hyphens, and underscores.
      4. (Optional, Decryption Mirroring only) Enable mirroring of decrypted traffic.
        Before enabling this feature, you must configure Decryption Port Mirroring.
        1. Select an Ethernet Interface for mirroring decrypted traffic.
        2. To mirror decrypted traffic only after Security policy rule enforcement, enable Forwarded Only.
          When enabled, the NGFW mirrors traffic after the Security policy rule lookup and just before re-encryption. If a Security policy rule drops the traffic, the NGFW does not mirror it. Enable this setting if you forward traffic to a threat detection device, such as a data loss prevention (DLP) device or an intrusion prevention system (IPS).
    2. (Optional) Define TLS Handshake Settings for SSL Forward Proxy and SSL Inbound Inspection.
      1. For Protocol Min Version, select from SSLv3.0 and TLSv1.0TLSv1.3.
        Set the Protocol Min Version to TLSv1.3.
      2. For Protocol Max Version, select from SSLv3.0, TLSv1.0TLSv1.3, and Max.
        Set the Protocol Max Version to Max to automatically support the newest TLS version.
      3. Configure Key Exchange Algorithms.
        By default, RSA, DHE, and ECDHE are enabled.
        You can enable post-quantum cryptography (PQC) algorithms for TLSv1.3 sessions. You must enable TLSv1.3 in the Handshake Settings.
        • To configure traditional key exchange algorithms (RSA, DHE, and ECDHE), select Classical, and then enable or disable algorithms as needed.
          If you enable PQC algorithms and a client or server does not support PQC, the NGFW negotiates a mutually supported classical algorithm.
        • To configure post-quantum (PQ) key encapsulation mechanisms (KEM) for TLSv1.3 sessions:
          1. Select Post-Quantum Cryptography (PQC), and then select PQC algorithm types:
            • PQC Standard—Enables the NIST-standardized algorithm, ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
            • PQC Experimental—Enables nonstandardized algorithms, HQC, Bike, and Frodo-KEM
          2. For Preferred Session Settings, select the proxy sessions that prioritize PQC:
            The NGFW negotiates a PQ KEM for the selected sessions when possible. The NGFW translates between PQC and classical encryption, so it can secure one proxy session with PQC even if the other side only supports classical algorithms.
            • Post-Quantum SSL preferred for Client-side session—The firewall (acting as a server) negotiates PQC algorithms if included in the client's cipher suite list
            • Post-Quantum SSL preferred for Server-side session—The firewall (acting as a client) places PQC algorithms first in its cipher suite list
      4. Configure Encryption Algorithms.
        Enable or disable algorithms as needed.
      5. Configure Authentication Algorithms.
        By default, MD5 is blocked.
        Enable or disable algorithms as needed.
    3. (Optional) Define session controls for SSL Forward Proxy.
      To configure the Failure Checks and Client Extensions settings and additional Server Certificate Verification and Unsupported Mode Checks settings, click Advanced. An Advanced SSL Forward Proxy Settings sidebar displays.
      1. For Server Certificate Verification, enable Block sessions with expired certificates or Block sessions with untrusted issuers.
        You can configure the following Advanced settings:
        • Block sessions with unknown certificate status
        • Block sessions on certificate status check timeout
        • Restrict certificate extensions
        • Append certificate's CN value to SAN extension
        • Automatically Fetch Intermediate Certificates
      2. For Unsupported Mode Checks, enable Block sessions with unsupported versions or Block sessions with unsupported cipher suites.
        You can configure the Advanced setting: Block sessions with client authentication.
      3. For Bypass Checks, enable Bypass Server Certificate Verification.
        If you enable Bypass Server Certificate Verification, the NGFW does not perform any other server certificate checks.
      4. (Optional) To configure Failure Checks and Client Extension settings:
        1. Select Advanced.
        2. (Optional) For Failure Checks, enable Block downgrade on no resource.
        3. (Optional) For Client Extension, enable Strip ALPN.
        4. Save the Advanced SSL Forward Proxy Settings.
    4. (Optional) Define session controls for SSL Inbound Inspection.
      1. For Unsupported Mode Checks, enable Block sessions with unsupported versions or Block sessions with unsupported cipher suites.
      2. For Failure Checks, enable Block sessions if resources not available or Block sessions if HSM not available.
    5. (Optional) Define session controls for traffic you do not decrypt.
      For Server Certificate Verification, select Block sessions with expired certificates or Block sessions with untrusted issuers.
      Apply no-decryption profiles to decryption policy rules that control traffic excluded from decryption for compliance, legal, and nontechnical reasons. If a server breaks decryption for technical reasons, add it to the Global Decryption Exclusion list instead.
    6. Save the profile.
    7. Apply the profile to the appropriate decryption policy rules.
    8. Commit your changes.
      Click Push ConfigPush.

    Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)

    1. Create a decryption profile.
      1. Select ObjectsDecryption Profile, and then click Add.
      2. Enter a descriptive Name for the profile.
        Names are case-sensitive and must be unique. You can use up to 31 characters, including letters, numbers, spaces, hyphens, and underscores.
      3. (Optional, Panorama only) Configure profile sharing and inheritance settings.
        • To share this profile across all virtual systems (vsys) on a multi-vsys NGFW or Panorama device groups, select Shared.
        • To prevent the override of profile settings in device groups that inherit the profile, select Disable override.
          By default, this setting is disabled; administrators can override settings in any device group that inherits the profile.
      4. (Optional, Decryption Mirroring only) Enable mirroring of decrypted traffic.
        Before enabling this feature, you must configure Decryption Port Mirroring.
        1. Select the Ethernet Interface for mirroring decrypted traffic.
        2. To mirror decrypted traffic only after Security policy rule enforcement, enable Forwarded Only.
          When enabled, the NGFW mirrors traffic after the Security policy rule lookup and just before re-encryption. If a Security policy rule drops the traffic, the NGFW does not mirror it. Enable this setting if you forward traffic to a threat detection device, such as a data loss prevention (DLP) device or an intrusion prevention system (IPS).
    2. (Optional) Define session controls and connection parameters for SSL/TLS traffic.
      For descriptions of each setting, see Decryption Profile Settings.
      1. To configure session controls:
        1. Select SSL Decryption, and then select either SSL Forward Proxy or SSL Inbound Inspection.
        2. (Optional) For SSL Forward Proxy, enable settings for Server Certificate Verification, Unsupported Mode Checks, Failure Checks, and Client Extension.
          If you enable Bypass Server Certificate Verification, the NGFW does not perform any other server certificate checks.
        3. (Optional) For SSL Inbound Inspection, enable settings for Unsupported Mode Checks and Failure Checks.
      2. Configure minimum and maximum Protocol Versions.
        1. Select SSL Protocol Settings.
        2. For Min Version, select from SSLv3.0 and TLSv1.0TLSv1.3.
          Set the Min Version to TLSv1.3.
        3. For Max Version, select from SSLv3.0, TLSv1.0TLSv1.3, and Max.
          Set the Max Version to Max to automatically support the newest TLS version.
      3. Configure Key Exchange Algorithms.
        By default, RSA, DHE, and ECDHE are enabled.
        Starting in PAN-OS 12.1.2, you can enable post-quantum cryptography (PQC) algorithms for TLSv1.3 sessions. You must enable TLSv1.3 in the SSL Protocol Settings.
        • To configure classical key exchange algorithms (RSA, DHE, and ECDHE):
          • (PAN-OS 11.2 and earlier) Enable or disable algorithms as needed.
          • (PAN-OS 12.1.2 and later) Select Classical, and then enable or disable algorithms as needed.
            If you enable PQC algorithms and a client or server does not support PQC, the NGFW negotiates a mutually supported classical algorithm.
        • To configure post-quantum (PQ) key encapsulation mechanisms (KEM) for TLSv1.3 sessions:
          1. Select Post-quantum Cryptography (PQC), and then select PQC algorithm types:
            • PQC-Standard—Enables the NIST-standardized algorithm, ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
            • PQC-Experimental—Enables nonstandardized algorithms, HQC, Bike, and Frodo-KEM
          2. For Preferred Session Settings, select the proxy sessions that prioritize PQC:
            The NGFW negotiates a PQ KEM for the selected sessions when possible. The NGFW translates between PQC and classical encryption, so it can secure one proxy session with PQC even if the other side only supports classical algorithms.
            • Post-Quantum SSL preferred for Client-side session—The firewall (acting as a server) negotiates PQC algorithms if included in the client's cipher suite list
            • Post-Quantum SSL preferred for Server-side session—The firewall (acting as a client) places PQC algorithms first in its cipher suite list
      4. Configure Encryption Algorithms.
      5. Configure Authentication Algorithms.
        By default, MD5 is blocked.
    3. (Optional) Define session controls for traffic you do not decrypt.
      1. Select No Decryption.
      2. For Server Certificate Verification, enable Block sessions with expired certificates or Block sessions with untrusted issuers.
    4. (Optional) Define session controls for SSH traffic.
      1. Select SSH Proxy.
      2. (Optional) For Unsupported Mode Checks, enable Block sessions with unsupported versions or Block sessions with unsupported algorithms.
      3. (Optional) For Failure Checks, enable Block sessions on SSH errors or Block sessions if resources not available.
    5. Click OK.
    6. Apply the profile to the appropriate decryption policy rules.
    7. Commit your changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.