Learn about new Decryption features in PAN-OS® 10.0.
New Decryption Feature
Decryption for TLSv1.3
You can now decrypt, gain full
visibility into, and prevent known and unknown threats in TLSv1.3 protocol
traffic. TLSv1.3 is the latest version of the TLS protocol, which
provides security and performance improvements for applications.
PAN-OS 10.0 supports TLSv1.3 decryption in all modes: SSL Forward
Proxy, SSL Inbound Inspection, SSL Decryption Broker, and SSL Decryption
Port Mirroring, and also for GlobalProtect Clientless VPN (browser
to GlobalProtect Portal only).
Enhanced SSL Decryption Troubleshooting
You can now troubleshoot SSL Decryption-related issues
and assess your security posture more easily with new Application
Command Center (ACC) features and consolidated Decryption logs.
Use the new ACC features to identify traffic for which decryption
causes problems and then use the new Decryption logs to drill down
into details and solve the problem. Also use the new ACC features
to identify the amount of TLS traffic, non-TLS traffic, decrypted
traffic, and non-decrypted TLS traffic. In addition, use the ACC
to identify traffic that uses weak algorithms and protocols and
mitigate the risk associated with applications, servers, and other devices
that use older, more insecure protocols and algorithms.
Block Export of Private Keys
You can now block the export of a private
key when generating it on PAN-OS or Panorama, or when importing
the key into PAN-OS or Panorama. Blocking key export hardens your
security posture because it prevents rogue administrators from misusing
keys. You can view which keys are blocked and which keys are not
blocked. However, even an administrator with a Superuser role can’t
export blocked private keys.