>
    Strata Copilot
    Decryption Features
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Features Introduced in PAN-OS 12.1
    4. Decryption Features
    Download PDF
    Next-Generation Firewall

    Decryption Features

    Table of Contents

    Decryption Features

    What new decryption features are included in PAN-OS 12.1?

    Automatic Retrieval of Intermediate Certificates Using AIA

    August 2025
    • Introduced in PAN-OS 12.1.2
    Sometimes servers present certificates that aren't signed by a trusted root certificate authority (CA) during TLS handshakes. When this happens, Next-Generation Firewalls (NGFWs) can't establish a chain of trust, causing the SSL/TLS connection to fail. PAN-OS® 12.1 solves this problem for SSL Forward Proxy connections by fetching missing intermediate certificates using the URL specified in the Authority Information Access (AIA) extension of the server certificate. This eliminates the need to manually upload intermediate certificates or bypass decryption for these connections.
    If a server certificate doesn’t have the AIA extension, it remains untrusted.
    The Automatic Retrieval of Intermediate Certificates feature examines server certificates during TLS handshakes. If a certificate can't be validated due to an incomplete certificate chain but contains the AIA extension with a CA Issuer URL, the NGFW performs multiple steps. It checks its intermediate certificate cache for an entry corresponding to the URL in the extension. If an entry isn't present, the NGFW attempts to download the certificates from the AIA URL. Then, the NGFW verifies that the certificate's Subject Name (SN) matches the certificate issuer name and the certificate hasn't expired. If these criteria are met, the certificate is cached for future use. The NGFW can recursively fetch up to three levels of intermediate certificates to build a complete chain to a trusted root CA.
    Although the first connection attempt fails during the fetch process, subsequent connections succeed because of the cache. The NGFW stores fetched certificates in a cache for up to one week, depending on certificate expiration dates.
    Decryption logs provide visibility into certificate fetching results through the Server Certificate Status field.

    Bypass Server Certificate Verification for SSL Forward Proxy

    August 2025
    • Introduced in PAN-OS 12.1.2
    Server certificate verification ensures users connect to legitimate servers, protects sensitive data, and mitigates the risk of attacks like meddler-in-the-middle (MITM) and phishing. However, certificate verification can block business-critical websites and applications that fail authentication due to certificate issues such as an incomplete certificate chain. Workarounds consume time and result in security gaps.
    PAN-OS® 12.1 introduces the Bypass Server Certificate Verification setting to decryption profiles for SSL Forward Proxy. When enabled, your Next-Generation Firewall (NGFW) ignores certificate issues and completes the TLS handshake by presenting a Forward Trust certificate. This allows the session to be decrypted without disruption, ensuring the availability of critical services.
    Enabling this option disables all other server certificate verification settings.
    Bypassing server certificate verification may introduce risks, such as regulatory noncompliance or connection vulnerabilities. It is a temporary solution that enables you to gradually address underlying certificate issues. Decryption logs help you identify servers requiring attention by recording if certificate validation was bypassed for a session.

    Comprehensive Decryption Log Fields and Error Messages

    August 2025
    • Introduced in PAN-OS 12.1.2
    The Next-Generation Firewall (NGFW) acts as a proxy between clients and servers during SSL Forward Proxy and SSL Inbound Inspection, making visibility into each proxied connection essential. However, decryption logs that lack this visibility, miss other critical details, or are difficult to analyze complicate monitoring and hinder troubleshooting. PAN-OS® 12.1 addresses these issues with comprehensive improvements to decryption logs.
    Decryption log fields now distinguish between the client-side session (traffic between the client and NGFW) and the server-side session (traffic between the NGFW and server). These fields have a "client" or "server" prefix, enabling you to compare values and understand what is happening at each stage of the proxied connection. Fields that apply to the session as a whole, such as Session ID, do not have these labels.
    In addition, new fields record decryption status, reasons for decryption exclusion, and certificate revocation status based on Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checks. For example, Decryption Status records if a session was decrypted or not and whether it was by failure or design.
    Further, existing error messages have been simplified, and new error messages have been added. These updates make it easier to interpret decryption log errors and identify the ones requiring more immediate attention.
    All decryption log improvements are automatically enabled for platforms with decryption logging capabilities.

    Post-quantum Cryptography (PQC) Support for TLSv1.3 Decryption

    August 2025
    • Introduced in PAN-OS 12.1.2
    Adopting post-quantum cryptography (PQC) is critical to protecting your organization and its assets against future quantum computers, which will break today’s classical cryptography. Failure to adopt PQC early increases the risk of compromise of sensitive data with attacks like Harvest Now, Decrypt Later already under way. On the other hand, upgrading legacy applications and systems is a time-consuming and costly process that risks service disruption and data security without proper guardrails in place. Accounting for these concerns, PAN-OS® 12.1 adds support for securing TLSv1.3 sessions using post-quantum (PQ) key encapsulation mechanisms (KEMs) to SSL Forward Proxy, SSL Inbound Inspection, Decryption Mirror, and the Network Packet Broker features.
    In decryption profiles, you can enable PQ KEMs standardized by the National Institute of Standards and Technology (NIST) or nonstandardized, experimental options. You can also specify if your selected algorithms are preferred by the client-side, server-side, or both. Next-Generation Firewalls (NGFWs) now serve as cipher translation proxies, translating between PQC and classical encryption for applications that are not yet post-quantum ready. For example, you can use quantum-safe encryption for communications between end users and NGFWs but classical encryption for connections between an NGFW and applications.
    This solution secures both legacy and quantum-safe systems and applications, enables you to meet PQC mandates, and reduces stress and complexity around PQC upgrades.

    © 2025 Palo Alto Networks, Inc. All rights reserved.