Decryption Features

Learn about new Decryption features in PAN-OS® 10.0.
New Decryption Feature
Decryption for TLSv1.3
You can now decrypt, gain full visibility into, and prevent known and unknown threats in TLSv1.3 protocol traffic. TLSv1.3 is the latest version of the TLS protocol, which provides security and performance improvements for applications. PAN-OS 10.0 supports TLSv1.3 decryption in all modes: SSL Forward Proxy, SSL Inbound Inspection, SSL Decryption Broker, and SSL Decryption Port Mirroring, and also for GlobalProtect Clientless VPN (browser to GlobalProtect Portal only).
Enhanced SSL Decryption Troubleshooting
You can now troubleshoot SSL Decryption-related issues and assess your security posture more easily with new Application Command Center (ACC) features and consolidated Decryption logs. Use the new ACC features to identify traffic for which decryption causes problems and then use the new Decryption logs to drill down into details and solve the problem. Also use the new ACC features to identify the amount of TLS traffic, non-TLS traffic, decrypted traffic, and non-decrypted TLS traffic. In addition, use the ACC to identify traffic that uses weak algorithms and protocols and mitigate the risk associated with applications, servers, and other devices that use older, more insecure protocols and algorithms.
Block Export of Private Keys
You can now block the export of a private key when generating it on PAN-OS or Panorama, or when importing the key into PAN-OS or Panorama. Blocking key export hardens your security posture because it prevents rogue administrators from misusing keys. You can view which keys are blocked and which keys are not blocked. However, even an administrator with a Superuser role can’t export blocked private keys.

Recommended For You