Decryption Features
Focus
Focus
Next-Generation Firewall

Decryption Features

Table of Contents

Decryption Features

What new decryption features are included in PAN-OS 12.1?

Comprehensive Decryption Log Fields and Error Messages

August 2025
  • Introduced in PAN-OS 12.1.2
Orion introduces several enhancements to decryption logs to improve troubleshooting and the analysis of log entries.
First, decryption log fields now distinguish between the client-side session (traffic between client and firewall) and server-side session (traffic between firewall and server), reflecting that for SSL Forward Proxy and SSL Inbound Inspection, a Next-Generation Firewall (NGFW) acts as proxy between the client and server. These fields are prefixed with "client" or "server," respectively. Fields that apply to the session as a whole, such as Session ID, are not prefixed with these labels. The distinction helps you understand exactly what is happening at each stage of the proxied connection, which in turn helps with targeting troubleshooting efforts. For example, if a session fails, you might notice that the values for the client and server side of the same field differs.
Second, new fields provide information about decryption status, reasons for decryption exclusion, and certificate revocation status based on OCSP and CRL checks. For example, Decryption Status records if a session was decrypted or not and whether it was by failure or design. This information helps target your focus and resources.
Finally, existing error messages have been simplified, and new error messages have been added. These updates aim at helping you to prioritize the decryption log errors to review and act on.
All decryption log enhancements are enabled by default for all platforms with decryption logging capabilities. The addition of new fields and error messages won’t impact existing log filters and reports.
  • If you export decryption logs to CSV format, the client-side fields and new fields follow the existing fields.
  • Changes to the error messages and the addition of new fields increase the size of decryption log packets but don’t impact memory or CPU usage.

Post-quantum Cryptography (PQC) Support for TLSv1.3 Decryption

August 2025
  • Introduced in PAN-OS 12.1.2
Orion adds support for the use of post-quantum (PQ) key encapsulation mechanisms (KEMs) to establish TLSv1.3 sessions for SSL Forward Proxy, SSL Inbound Inspection, the Decryption Mirror, and the Network Packet Broker. Palo Alto Networks next-generation firewalls (NGFWs) now serve as a cipher translation proxy, translating between PQC and classical encryption methods for applications that are not yet post-quantum ready. This capability protects your organization against future quantum computing threats while maintaining compatibility with existing systems that have not yet adopted PQC.
You can specifically specify the PQC key exchange algorithms used to secure SSL/TLS sessions and whether those algorithms are negotiated for the client-side, server-side, or both sides of SSL/TLS connections. For example, you can use quantum-safe encryption for external communications between users and an NGFW while connections from an NGFW to applications can use classical encryption. PQC options are only available when TLSv1.3 is supported for decryption.
You can choose between PQC options standardized by the National Institute of Standards and Technology (NIST) and experimental options. The PQC-Standard option supports ML-KEM. The PQC-Experimental options are HQC, Bike, and Frodo-KEM. The system automatically falls back to classical ciphers if neither client nor server supports PQC.