>
    Strata Copilot
    Decryption Features
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Features Introduced in PAN-OS 12.1
    4. Decryption Features
    Download PDF
    Next-Generation Firewall

    Decryption Features

    Table of Contents

    Decryption Features

    What new decryption features are included in PAN-OS 12.1?

    Comprehensive Decryption Log Fields and Error Messages

    August 2025
    • Introduced in PAN-OS 12.1.2
    Your Next-Generation Firewall (NGFW) acts as a proxy between clients and servers during SSL Forward Proxy and SSL Inbound Inspection, making visibility into each proxied connection essential. However, decryption logs that lack this visibility, miss other critical details, or are difficult to analyze complicate monitoring and hinder troubleshooting. PAN-OS® 12.1 addresses these issues with comprehensive improvements to decryption logs.
    Decryption log fields now distinguish between the client-side session (traffic between the client and NGFW) and the server-side session (traffic between the NGFW and server). These fields have a "client" or "server" prefix, enabling you to compare values and understand what is happening at each stage of the proxied connection. Fields that apply to the session as a whole, such as Session ID, do not have these labels.
    In addition, new fields record decryption status, reasons for decryption exclusion, and certificate revocation status based on Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checks. For example, Decryption Status records if a session was decrypted or not and whether it was by failure or design.
    Further, existing error messages have been simplified, and new error messages have been added. These updates make it easier to interpret decryption log errors and identify the ones requiring more immediate attention.
    All decryption log improvements are automatically enabled for platforms with decryption logging capabilities.

    Post-quantum Cryptography (PQC) Support for TLSv1.3 Decryption

    August 2025
    • Introduced in PAN-OS 12.1.2
    Adopting post-quantum cryptography (PQC) is critical to protecting your organization and its assets against future quantum computers, which will break today’s classical cryptography. Failure to adopt PQC early increases the risk of compromise of sensitive data with attacks like Harvest Now, Decrypt Later already under way. On the other hand, upgrading legacy applications and systems is a time-consuming and costly process that risks service disruption and data security without proper guardrails in place. Accounting for these concerns, PAN-OS® 12.1 adds support for securing TLSv1.3 sessions using post-quantum (PQ) key encapsulation mechanisms (KEMs) to SSL Forward Proxy, SSL Inbound Inspection, Decryption Mirror, and the Network Packet Broker features.
    In decryption profiles, you can enable PQ KEMs standardized by the National Institute of Standards and Technology (NIST) or nonstandardized, experimental options. You can also specify if your selected algorithms are preferred by the client-side, server-side, or both. Next-Generation Firewalls (NGFWs) now serve as cipher translation proxies, translating between PQC and classical encryption for applications that are not yet post-quantum ready. For example, you can use quantum-safe encryption for communications between end users and NGFWs but classical encryption for connections between an NGFW and applications.
    This solution secures both legacy and quantum-safe systems and applications, enables you to meet PQC mandates, and reduces stress and complexity around PQC upgrades.

    © 2025 Palo Alto Networks, Inc. All rights reserved.