The Secure Sockets Layer (SSL) and Secure Shell (SSH)
encryption protocols secure traffic between two entities, such as
a web server and a client. SSL and SSH encapsulate traffic, encrypting
data so that it is meaningless to entities other than the client
and server with the certificates to affirm trust between the devices
and the keys to decode the data. Decrypt SSL and SSH traffic to:
Palo Alto Networks firewall decryption is policy-based, and can
decrypt, inspect, and control inbound and outbound SSL and SSH connections.
A Decryption policy enables you to specify traffic to decrypt by
destination, source, service, or URL category, and to block, restrict,
or forward the specified traffic according to the security settings
in the associated Decryption profile. A Decryption profile controls
SSL protocols, certificate verification, and failure checks to prevent
traffic that uses weak algorithms or unsupported modes from accessing
the network. The firewall uses certificates and keys to decrypt
traffic to plaintext, and then enforces App-ID and security settings
on the plaintext traffic, including Decryption, Antivirus, Vulnerability,
Anti-Spyware, URL Filtering, WildFire, and File-Blocking profiles.
After decrypting and inspecting traffic, the firewall re-encrypts
the plaintext traffic as it exits the firewall to ensure privacy
and security.
The firewall provides three types of Decryption policy rules:
SSL
Forward Proxy to control outbound SSL traffic,
SSL
Inbound Inspection to control inbound SSL traffic, and
SSH
Proxy to control tunneled SSH traffic. You can attach a Decryption
profile to a policy rule to apply granular access settings to traffic,
such as checks for server certificates, unsupported modes, and failures.
SSL decryption (both forward proxy and inbound inspection) requires
certificates to establish the firewall as a trusted third party,
and to establish trust between a client and a server to secure an
SSL/TLS connection. You can also use certificates when excluding
servers from SSL decryption for technical reasons (the site breaks decryption
for reasons such as certificate pinning, unsupported ciphers, or
mutual authentication). SSH decryption does not require certificates.