Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)

1. Create a decryption profile.

   1. Select ObjectsDecryption Profile, and then click Add.
   2. Enter a descriptive Name.
   3. (Optional) To make the profile available across all virtual systems on an NGFW or each Panorama device group, select Shared.
2. (Decryption Mirroring Only) Enable an Ethernet Interface to use to copy and forward decrypted traffic.

   Separate from this task, follow the steps to configure Decryption Port Mirroring. Be aware of local privacy regulations that prohibit mirroring or control the type of traffic that you can mirror. Decryption Port Mirroring requires a Decryption Port Mirroring license.
3. (Optional) Enable various checks, and configure TLS connection parameters.

   For descriptions of these settings, see Summary of Decryption Profile Settings.

   1. Select SSL Decryption, and then select either SSL Forward Proxy or SSL Inbound Inspection.

      • Configure Server Certificate Verification, Unsupported Mode Checks, Failure Checks, and Client Extension settings for SSL Forward Proxy.
      • Configure Unsupported Mode Checks and Failure Checks for SSL Inbound Inspection.
   2. Specify TLS protocol versions and cipher suites to support for TLS connections:

      1. Select SSL Protocol Settings.
      2. For Protocol Versions, select a Min Version and a Max Version.
         Set the Max Version to Max to support the newest TLS protocol version when available.
      3. Enable or disable the desired Key Exchange Algorithms. The RSA, DHE, and ECDHE key exchange algorithms are enabled by default.
      4. Enable or disable the desired Encryption Algorithms.
      5. Enable or disable the desired Authentication Algorithms.
         The MD5 algorithm is blocked by default.
4. (Optional) Configure Server Certificate Verification settings for traffic you don't decrypt.

   Apply no-decryption profiles to decryption policy rules that control traffic excluded from decryption for compliance, legal, and nontechnical reasons. If a server breaks decryption for technical reasons, add it to the SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) instead.

   1. Select No Decryption.
   2. Enable Block sessions with expired certificates or Block sessions with untrusted issuers.
5. (Optional) Configure Unsupported Mode Checks and Failure Checks for SSH traffic.

   1. Select SSH Proxy.
   2. For Unsupported Mode Checks, enable Block sessions with unsupported versions or Block sessions with unsupported algorithms.
   3. For Failure Checks, enable Block sessions on SSH errors or Block sessions if resources not available.
6. Apply the profile to the appropriate decryption policy rules.
7. Commit your configuration.