new Decryption policy rule, and give the policy rule a descriptive
Configure the decryption rule to match to traffic based
on network and policy objects:
Firewall security zones
to traffic based on the
IP addresses, address objects, and/or address groups
match to traffic based on
. Alternatively, select
exclude the source address list from decryption.
for whom to decrypt traffic.
You can decrypt specific user or group traffic, or decrypt traffic
for certain types of users, such as unknown users or pre-logon users
(users that are connected to GlobalProtect but are not yet logged
Ports and protocols
set the rule to match to traffic based on service. By default, the
policy rule is set to decrypt
on TCP and UDP ports. You can
or a service group, and optionally set the rule to
to applications only on the application default ports.
The application-default setting can be useful
when you create a policy-based decryption
exclusion. You can exclude applications running on their
default ports from decryption, while continuing to decrypt the same
applications when they are detected on non-standard ports.
URLs and URL categories
—Select Service/URL Category
and decrypt traffic based on:
list of URLs that the firewall retrieves for policy-enforcement
Palo Alto Networks predefined URL categories, which
make it easy to decrypt entire categories of allowed traffic. This
option is also useful when you create policy-based decryption exclusions
because you can exclude sensitive sites by category instead of individually.
For example, although you can create a custom URL category to group
sites that you do not want to decrypt, you can also exclude financial
or healthcare-related sites from decryption based on the predefined
Palo Alto Networks URL categories. In addition, you can block risky
URL categories and create comfort pages to
communicate the reason the sites are blocked or enable users to opt out of SSL
You can use the predefined high-risk and
medium-risk URL categories to create a Decryption policy rule that
decrypts all high-risk and medium-risk URL traffic. Place the rule
at the bottom of the rulebase (all decryption exceptions must be
above this rule so that you don’t decrypt sensitive information) as
a safety net to ensure that you decrypt and inspect all risky traffic. However,
if high-risk or medium-risk sites to which you allow access contain personally
identifiable information (PII) or other sensitive information that you
don’t want to decrypt, either block those sites to avoid allowing
encrypted risky traffic while also avoiding privacy issues, or create
a No Decryption rule to handle the sensitive traffic.
Custom URL categories (see
For example, you can create a custom URL category to specify a group
of sites you need to access for business purposes but that don’t
support the safest protocols and algorithms, and then apply a customized
Decryption profile to allow the looser protocols and algorithms
for just those sites (that way, you don’t decrease security by downgrading
the Decryption profile you use for most sites).
Set the rule to either decrypt matching traffic or to
exclude matching traffic from decryption.
and set the policy
decrypt matching traffic:
for the firewall to perform on matching traffic:
perform additional checks on traffic that matches the policy rule.
Although applying a Decryption
profile to decrypted traffic is optional, it is a best practice
to always apply a Decryption profile to the policy rules to protect
your network against encrypted threats. You can’t protect yourself
against threats you can’t see.
For example, attach a Decryption profile to a policy rule
to ensure that server certificates are valid and to block sessions
using unsupported protocols or ciphers. To create a Decryption profile,
Create a Decryption policy rule or open
an existing rule to modify it.
and select a
to block and control various aspects of the
traffic matched to the rule.
The profile rule settings the firewall applies to matching
traffic depends on the policy rule
or No Decrypt) and the policy rule
Forward Proxy, SSL Inbound Inspection, or SSH Proxy). This allows
you to use the different Decryption profiles with different types
of Decryption policy rules that apply to different types of traffic and
Configure Decryption logging (configure
whether to log both successful and unsuccessful TLS handshakes and
configure Decryption log forwarding).
to save the policy.
Choose your next step to fully enable the firewall to