SSL Inbound Inspection decrypts and inspects traffic entering your network for threats before it reaches your internal servers. Organizations, especially in highly regulated industries, often store private keys for server certificates on hardware security modules (HSMs) for tamper-proof security. However, Next-Generation Firewalls (NGFWs) running PAN-OS® 11.1 and earlier versions could not inspect inbound TLSv1.3 traffic when private keys resided on an HSM. As a workaround, NGFWs automatically downgraded TLSv1.3 connections to TLSv1.2. These downgraded connections lacked the security and performance benefits unique to TLSv1.3.

PAN-OS 11.2 resolves this issue by adding support for inbound inspection of TLSv1.3 sessions when an HSM protects the private keys. After you enable this feature, you can both secure private keys with HSMs and gain full visibility into traffic that the latest TLS version secures. This feature is compatible only with Thales Luna Network HSMs and Entrust nShield HSMs and requires connectivity between your HSMs and virtual or physical NGFWs.