>
    Strata Copilot
    Enable Comprehensive Cryptographic Visibility
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Quantum-Safe Security App
    4. Enable Comprehensive Cryptographic Visibility
    Download PDF
    Network Security

    Enable Comprehensive Cryptographic Visibility

    Table of Contents

    Enable Comprehensive Cryptographic Visibility

    Use this procedure to enable the Quantum-Safe Security app to build a cryptographic inventory, identify vulnerable assets, track PQC readiness, and share migration recommendations.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Strata Cloud Manager
    The Quantum-Safe Security app provides visibility into your cryptographic posture and offers remediation guidance to support the transition to post-quantum cryptography (PQC). The app features an inventory of your network assets and their cryptographic components and an interactive dashboard that provides a high-level overview of cryptographic risk and quantum readiness across the enterprise. To discover assets and provide actionable insights, the app continuously ingests telemetry from your Next-Generation Firewalls (NGFW), Prisma Access tenants, and integrated third-party solutions through the Strata Logging Service. You must onboard your NGFWs and Prisma Access tenants to the Strata Logging Service and enable them to forward device telemetry and logs. The app only evaluates data from onboarded devices.
    Decryption logs are the primary data source for the app because they capture critical cryptographic metadata, including algorithms, protocol versions, and certificates in use. For comprehensive visibility, log both successful and unsuccessful TLS handshakes from both traffic you decrypt and traffic you choose not to decrypt.
    If you have Device Security licenses, ensure the licenses and enabled devices are associated with your Strata Logging Service instance. Device Security identifies end-user, IoT, and operational technology (OT) devices and streams device data to the Strata Logging Service. This enriches your assets with additional context, such as the operating system, hardware model, and vendor. The Quantum-Safe Security app uses this context to evaluate quantum readiness and generate hardware and software upgrade recommendations.
    Complete the following steps to enable the Quantum-Safe Security app to collect the data it needs to populate your inventory and dashboard. This procedure assumes you are configuring policy rules on Strata Cloud Manager rather than on individual NGFWs.
    1. Activate a Quantum-Safe Security License.
      This process includes onboarding NGFWs and Prisma Access tenants to the Strata Logging Service.
    2. Log in to Strata Cloud Manager.
    3. Enable logging of all TLS handshakes for decrypted and non-decrypted traffic.
      This enables your NGFWs and Prisma Access tenants to capture session metadata, including algorithms, protocols, and certificates.
      1. For all decryption policy rules where the action is set to Decrypt, enable both Log Successful TLS Handshakes and Log Unsuccessful TLS Handshakes.
      2. Configure a Do Not Decrypt decryption policy rule that logs all TLS handshakes.
        Applying this rule across all NGFWs and Prisma Access tenants increases memory consumption due to log volume and processing. To begin, apply this rule to perimeter firewalls and Prisma Access tenants.
        1. Use the following settings:
          • Ensure Source settings are set to their respective Any values.
          • Ensure Destination settings are set to their respective Any values.
          • For Action, select Do Not Decrypt.
          • For Logging, select Log Successful TLS Handshakes and Log Unsuccessful TLS Handshakes.
        2. In the Decryption Policies list, Move this rule to the last position in the Post-Rulebase.
          This ensures it acts as a catch-all for traffic that does not match more specific decryption policy rules.
        3. Commit your changes.
          Select Push ConfigPush.
    4. (Recommended) Set up Device Security.
      Make sure to:
      • Allocate Device Security subscriptions to the same Strata Cloud Manager tenant as the Quantum-Safe Security license
      • Associate Device Security subscriptions with the same Strata Logging Service instance used in step 1
      • Associate the Device Security licenses with the same NGFWs and Prisma Access instances you onboarded to the Strata Logging Service instance
      1. Activate Device Security.
      2. Onboard Device Security.
    5. Launch the Quantum-Safe Security app, and verify that assets are populating.
      Select InsightsQuantum-Safe Security, and explore the Overview and Inventory views.
      Filter assets by multiple criteria to identify assets to prioritize for remediation or migration. For example, to identify web applications ready for migration, apply both the Type (select Internet) and Quantum Readiness (select Ready) filters.
      1. Click Add Filter.
      2. Select a filter, such as Quantum Readiness.
      3. Select one or more sub-filters, such as Ready or Not Ready.
      4. (Optional) Add more filters.

    © 2026 Palo Alto Networks, Inc. All rights reserved.