Enable Decryption
Focus
Focus
Network Security

Enable Decryption

Table of Contents

Enable Decryption

Use decryption policy rules and profiles to define the traffic you decrypt and the traffic to exclude from decryption because of regulations, business reasons, or privacy reasons.
Where Can I Use This?What Do I Need?
No separate license required for decryption when using NGFWs or Prisma Access.
Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
Enable decryption for visibility into traffic passing through your network—potential threats, unwanted traffic, and other anomalies that might otherwise go unexamined. Decryption involves the conversion of encrypted traffic to plaintext for deep inspection. The Next-Generation Firewall (NGFW) inspects the traffic and applies relevant decryption policy rules and profiles. Traffic is re-encrypted before it exits the NGFW. Many services rely on and enhance decryption capabilities, including Advanced URL Filtering, Advanced Threat Prevention, and Advanced WildFire®. You can't protect your network against threats you can't see. Reasons to enable decryption include preventing the exfiltration of sensitive data, ensuring legal or regulatory compliance, and enabling filtering of HTTPS websites.
Enabling decryption impacts throughput performance. To correctly size NGFWs, identify traffic to prioritize for decryption, run a proof of concept, and work with Palo Alto Networks experts.
A best practice decryption deployment aims to decrypt as much traffic as possible the traffic, while properly managing undecrypted traffic. The following high-level steps are key to building a robust, informed decryption deployment.
Decryption deployment best practices checklist provides a comprehensive list of best practices for each step of the way.