>
    Strata Copilot
    Plan Your Decryption Deployment
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Plan Your Decryption Deployment
    Download PDF
    Network Security

    Plan Your Decryption Deployment

    Table of Contents

    Plan Your Decryption Deployment

    Proper preparation makes deploying decryption easier and smoother because everyone from IT to executives to the user base is educated and ready for the changes.
    Where Can I Use This?What Do I Need?
    No separate license required for decryption when using NGFWs or Prisma Access.
    Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
    The most time-consuming part of deploying decryption isn’t configuring decryption policy rules or decryption profiles. It is the preparation—working with stakeholders to decide what traffic to decrypt, educating users about changes to website access, developing a public key infrastructure (PKI) strategy, sizing your Next-Generation Firewall (NGFW) deployment, and planning each phase of the decryption rollout.
    Start by setting clear goals for your decryption deployment. You can evaluate each planning and implementation phase against these goals. Ensure coordination between the teams involved in implementation and affected users. Review the Decryption Planning Best Practices checklist, and integrate best practices as much as you can. The best practice goal is to decrypt as much traffic as your NGFW resources permit, prioritizing the most important traffic. In industries like healthcare or finance, this goal should take into account regulatory requirements.
    Migrate from port-based to application-based Security policy rules before creating and deploying decryption policy rules. If you create decryption policy rules based on port-based Security policy rules and then migrate to application-based Security policy rules, the change could cause the decryption policy rules to block traffic that you intend to allow because Security policy rules are likely to use application default ports to prevent application traffic from using nonstandard ports.
    For example, traffic identified as web-browsing (default port 80) may have underlying applications with different default ports, such as HTTPS traffic (default port 443). The application-default rule blocks the HTTPS traffic because the decrypted traffic uses a nonstandard port (443 instead of 80). Migrating to App-ID based policy rules before deploying decryption means that during proof of concept testing, you’ll discover Security policy rule misconfigurations, and you can fix these issues before rolling it out to the general user population.
    To plan and implement a decryption deployment that minimizes risks, maximizes security benefits, and accounts for business and legal requirements:
    • Develop a decryption strategy. Define clear objectives and what a successful deployment looks like. Collaborate with stakeholders from legal, finance, HR, security, and IT teams. Identify the traffic you want to prioritize for decryption. Consider traffic you may need to exclude from decryption for technical, legal, or other reasons. Consider if you need to create separate decryption policy rules or decryption profiles to handle traffic to and from various user groups, devices, or applications.
    • Plan your PKI rollout. Proper certificate management and handling of user traffic is critical in the decryption planning process. Consider which certificates you need and how to generate them. Will you use an enterprise CA or a self-signed root CA certificate? Think about edge cases, such as guest users or personal devices on your network. Ensure network devices have valid certificates.
    • Size your NGFW to account for current and future needs. Decryption can be resource-intensive. The amount of decryption an NGFW can support depends on various factors, including volume of SSL traffic, TLS versions, cipher suites, and authentication methods. Work with Palo Alto Networks representations to properly size deployments to meet your requirements. Make sure your NGFW deployment can meet performance expectations when decrypting at work.
    • Deploy decryption in phases. Plan each phase, including the education of stakeholders and proof of concepts. Evaluate user experiences, generate decryption reports, and verify effectiveness at each stage. Refine decryption policy rules and profiles as needed.
      If enabling SSL/TLS decryption, use the Get Started with SSL Decryption resource as a guide for an initial deployment. This topic includes steps for:
      • creating a no-decryption policy rule to understand the websites and applications end users access
      • creating a low-risk proof of concept
      • using decryption logs to identify and mitigate issues
      Familiarize yourself with SSL decryption and use the insights from each step to turn a proof of concept into a deployment aligned with business and other considerations.

    © 2026 Palo Alto Networks, Inc. All rights reserved.