: Decryption for TLSv1.3
Focus
Focus

Decryption for TLSv1.3

Table of Contents
End-of-Life (EoL)

Decryption for TLSv1.3

Decrypt TLSv1.3 traffic to protect against threats in encrypted traffic while benefiting from TLSv1.3 application security and performance improvements.
You can now decrypt, gain full visibility into, and prevent known and unknown threats in TLSv1.3 traffic. TLSv1.3 is the latest version of the TLS protocol, which provides application security and performance improvements. Your existing Decryption policies work with TLSv1.3 when you configure the associated Decryption profile to use TLSv1.3 as the minimum protocol version or to use TLSv1.3 or Max as the maximum protocol version. The firewall supports TLSv1.3 decryption in all modes (Forward Proxy, Inbound Inspection, Decryption Broker, and Decryption Port Mirroring).
To use TLSv1.3, the client and server must be able to negotiate TLSv1.3 ciphers. For websites that don’t support TLSv1.3, the firewall selects an older version of the TLS protocol that the server supports.
The firewall supports the following decryption algorithms for TLSv1.3:
  • TLS13-AES-128-GCM-SHA256
  • TLS13-AES-256-GCM-SHA384
  • TLS13-CHACHA20-POLY1305-SHA256
Follow decryption best practices when setting the TLS and protocol version in your Decryption profiles. See TLSv1.3 Decryption for details.