The Transport Layer Security (TLS) protocol, which evolved from the Secure Sockets Layer (SSL), and the Secure Shell (SSH) protocol secure communication between two entities, such as a web server and a client. While SSL/TLS typically secures web-based communications, SSH typically secures remote access to servers and devices. These protocols use public and private key cryptography to establish secure connections. They encrypt data in a way that renders it meaningless to any entity lacking the certificate and keys required to establish trust and decode the data. However, the privacy and integrity that encryption provides can be exploited. For example, suppose an attacker installs malware on an HTTPS website, and employees visit the site and unknowingly download malware. The malware can use the infected employee endpoint to move laterally through the network and compromise other systems. Thus, traffic should not be trusted automatically.

Decryption is the process of converting encrypted data into its original format, so that it's readable. This process allows for inspection and visibility into SSL/TLS and SSH traffic. You can decrypt both outbound and inbound traffic. SSL Forward Proxy inspects traffic exiting your internal network to the internet. SSL Inbound Inspection inspects traffic entering internal network servers. SSH Proxy inspects and controls traffic in SSH tunnels. Consider that you can’t block traffic that you don't inspect.

Decrypt SSL and SSH traffic to:

SSL decryption uses keys and certificates to establish a Next-Generation Firewall (NGFW) as a trusted third party between a client and a server. The NGFW decrypts SSL/TLS traffic to plaintext for inspection. Then, the NGFW re-encrypts the traffic before forwarding it to its destination, ensuring the privacy and security of the data. SSL decryption works with Advanced Threat Prevention, Advanced URL Filtering, and other services that require packet inspection. Without SSL decryption, you couldn't create exceptions to URL categories for websites encrypted with HTTPS. It also provides additional use cases for these services. For example, you can selectively decrypt traffic based on URL categories and apply threat prevention controls.

SSH decryption does not require certificates. With SSH decryption enabled, an NGFW decrypts and blocks or restricts SSH traffic according to your decryption policy rules and profiles. It specifically tackles SSH tunneling. The NGFW also re-encrypts the SSH traffic as it exits. You can use Decryption Port Mirroring to forward decrypted traffic to a third-party solution for additional analysis and archiving. All mirrored traffic, including sensitive information, is forwarded in cleartext.

Palo Alto Networks decryption is policy-based. NGFWs handle encrypted traffic according to a decryption policy. A decryption policy consists of one or more decryption policy rules, which specify the traffic targeted for decrypted, the type of decryption performed, and how certain traffic is handled. Configure and associate a decryption profile with a decryption policy rule to define the protocol versions and cipher suites supported by the client (in the case of SSL decryption) or to configure certificate verification and other checks. For example, you can create a no-decryption policy rule and profile to bypass decryption of financial or healthcare data.

Decrypting all traffic indiscriminately can be resource-intensive. When planning for and implementing decryption, balance the need for thorough inspection with considerations of performance, compliance, security, and resource management. For example, if performance and sizing are major considerations, you might prioritize the decryption of traffic to high- or medium-risk URL categories, traffic destined for critical servers, or business-critical traffic. Some traffic can't be decrypted for technical, legal, or other reasons. Understand the traffic you can and can’t decrypt when developing a decryption strategy. Use the Decryption Best Practices Checklist to plan, implement, and maintain your decryption deployment.