Today, post-quantum cryptography (PQC) algorithms and hybrid PQC algorithms (classical and PQC algorithms combined) are accessible through open-source libraries and integrated into web browsers and other technologies. Traffic encrypted by PQC or hybrid PQC algorithms cannot be decrypted yet, making these algorithms vulnerable to misuse. To address these concerns, Palo Alto Networks firewalls now detect, block, and log the use of PQC and hybrid PQC algorithms in TLSv1.3 sessions.

Your decryption policy rules determine if the firewall detects, blocks, and logs PQC and hybrid PQC algorithms. If SSL/TLS traffic matches an SSL Forward Proxy or SSL Inbound Inspection decryption policy rule, the firewall prevents negotiation with PQC, hybrid PQC, and other unsupported algorithms. Specifically, the firewall removes these algorithms from the ClientHello, forcing the client to negotiate with classical algorithms. This enables continuous decryption and threat identification through deep packet inspection. If the client strictly negotiates PQC or hybrid PQC algorithms, the firewall drops the session. The decryption log entry for dropped sessions shows the error message: "client only supports post-quantum algorithms”.

If SSL/TLS traffic matches a “no-decrypt” decryption policy rule or does not match any decryption policy rules, the firewall allows the negotiation of PQC or hybrid PQC algorithms. In these cases, the firewall generates a decryption log only if the traffic matches a "no-decrypt" decryption policy rule.

Additionally, new threat signatures offer visibility into the use of PQC and hybrid PQC algorithms in your network. These signatures monitor ServerHello responses and alert you when PQC-based SSL/TLS sessions are successfully negotiated. A Threat Prevention license is required to receive alerts.