What new decryption features are included in PAN-OS 11.2?
TLSv1.3 Support for HSM Integration with SSL Inbound Inspection
May 2024
Introduced in PAN-OS 11.2.0
PAN-OS now supports the decryption of TLSv1.3 sessions in SSL Inbound
Inspection mode when the private keys of internal servers are stored on Hardware Security Modules (HSMs). The superior
performance and security of TLSv1.3 combined with the protection of HSMs hardens inbound
decryption. This feature is only compatible with the Thales Luna Network and Entrust
nShield Connect HSMs. To activate this support, use the set ssl
inbound-inspection tls1.3-with-hsm enable yes CLI command. This feature
is disabled by default. You must set up connectivity between a supported HSM
and Palo Alto Networks appliances andapply a Decryption profile that specifies
TLSv1.3 as the minimum or maximum supported TLS version to an SSL Inbound Inspection
rule first.