Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)

1. Create a decryption profile.

   1. Select ObjectsDecryption Profile, and then click Add.
   2. Enter a descriptive Name for the profile.

      Names are case-sensitive and must be unique. You can use up to 31 characters, including letters, numbers, spaces, hyphens, and underscores.
   3. (Optional, Panorama only) Configure profile sharing and inheritance settings.

      • To share this profile across all virtual systems (vsys) on a multi-vsys NGFW or Panorama device groups, select Shared.
      • To prevent the override of profile settings in device groups that inherit the profile, select Disable override.
        By default, this setting is disabled; administrators can override settings in any device group that inherits the profile.
   4. (Optional, Decryption Mirroring only) Enable mirroring of decrypted traffic.

      Before enabling this feature, you must configure Decryption Port Mirroring.

      1. Select the Ethernet Interface for mirroring decrypted traffic.
      2. To mirror decrypted traffic only after Security policy rule enforcement, enable Forwarded Only.
         When enabled, the NGFW mirrors traffic after the Security policy rule lookup and just before re-encryption. If a Security policy rule drops the traffic, the NGFW does not mirror it. Enable this setting if you forward traffic to a threat detection device, such as a data loss prevention (DLP) device or an intrusion prevention system (IPS).
2. (Optional) Define session controls and connection parameters for SSL/TLS traffic.

   For descriptions of each setting, see Decryption Profile Settings.

   1. To configure session controls:

      1. Select SSL Decryption, and then select either SSL Forward Proxy or SSL Inbound Inspection.
      2. (Optional) For SSL Forward Proxy, enable settings for Server Certificate Verification, Unsupported Mode Checks, Failure Checks, and Client Extension.
         If you enable Bypass Server Certificate Verification, the NGFW does not perform any other server certificate checks.
      3. (Optional) For SSL Inbound Inspection, enable settings for Unsupported Mode Checks and Failure Checks.
   2. Configure minimum and maximum Protocol Versions.

      1. Select SSL Protocol Settings.
      2. For Min Version, select from SSLv3.0 and TLSv1.0–TLSv1.3.
         Set the Min Version to TLSv1.3.
      3. For Max Version, select from SSLv3.0, TLSv1.0–TLSv1.3, and Max.
         Set the Max Version to Max to automatically support the newest TLS version.
   3. Configure Key Exchange Algorithms.

      By default, RSA, DHE, and ECDHE are enabled.

      Starting in PAN-OS 12.1.2, you can enable post-quantum cryptography (PQC) algorithms for TLSv1.3 sessions. You must enable TLSv1.3 in the SSL Protocol Settings.

      • To configure classical key exchange algorithms (RSA, DHE, and ECDHE):
        • (PAN-OS 11.2 and earlier) Enable or disable algorithms as needed.
        • (PAN-OS 12.1.2 and later) Select Classical, and then enable or disable algorithms as needed.
          If you enable PQC algorithms and a client or server does not support PQC, the NGFW negotiates a mutually supported classical algorithm.
      • To configure post-quantum (PQ) key encapsulation mechanisms (KEM) for TLSv1.3 sessions:
        1. Select Post-quantum Cryptography (PQC), and then select PQC algorithm types:
           • PQC-Standard—Enables the NIST-standardized algorithm, ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism)
           • PQC-Experimental—Enables nonstandardized algorithms, HQC, Bike, and Frodo-KEM
        2. For Preferred Session Settings, select the proxy sessions that prioritize PQC:
           The NGFW negotiates a PQ KEM for the selected sessions when possible. The NGFW translates between PQC and classical encryption, so it can secure one proxy session with PQC even if the other side only supports classical algorithms.
           • Post-Quantum SSL preferred for Client-side session—The firewall (acting as a server) negotiates PQC algorithms if included in the client's cipher suite list
           • Post-Quantum SSL preferred for Server-side session—The firewall (acting as a client) places PQC algorithms first in its cipher suite list
   4. Configure Encryption Algorithms.
   5. Configure Authentication Algorithms.

      By default, MD5 is blocked.
3. (Optional) Define session controls for traffic you do not decrypt.

   1. Select No Decryption.
   2. For Server Certificate Verification, enable Block sessions with expired certificates or Block sessions with untrusted issuers.
4. (Optional) Define session controls for SSH traffic.

   1. Select SSH Proxy.
   2. (Optional) For Unsupported Mode Checks, enable Block sessions with unsupported versions or Block sessions with unsupported algorithms.
   3. (Optional) For Failure Checks, enable Block sessions on SSH errors or Block sessions if resources not available.
5. Click OK.
6. Apply the profile to the appropriate decryption policy rules.
7. Commit your changes.