Decryption Administration
  • Decryption Administration
  • Network Security Documentation
  • All Documentation
>
Define Traffic to Decrypt
Focus
Download PDF
Focus
  1. Home
  2. Network Security
  4. Enable Decryption
  5. Define Traffic to Decrypt
Download PDF
Network Security

Define Traffic to Decrypt

Table of Contents

Define Traffic to Decrypt

Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL category.
Where Can I Use This?What Do I Need?
No separate license required for decryption when using NGFWs or Prisma Access.
Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
Decryption policy rules define the traffic that you decrypt or do not decrypt. You can craft granular rules based on network and policy objects, including source, destination, service (application port), URL category, and users. Decryption policy rules also define the type of decryption performed: SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy. Additionally, you can enable Decryption Mirroring, decryption log settings, and additional controls, such as checks for expired certificates by applying a decryption profile to a rule.
Decryption Policy Rules provides more details.

Best Practices and Considerations for Decryption Policy Rules

Strike a balance between thorough inspection and efficient performance, compliance, security, and resource management. Decrypting all traffic indiscriminately can be resource-intensive. For example, if Next-Generation Firewall (NGFW) performance and sizing are major considerations, you might prioritize the decryption and inspection of traffic to high- or medium-risk URL categories, traffic destined for critical servers, or business-critical traffic. Evaluate the potential impacts of decryption on major applications or servers.
In another case, you might decide not to decrypt the traffic of high-level business executives. You can do so by creating a no-decrypt decryption policy rule with the executive's User-ID as a source.
Create targeted decryption policy rules for different network segments and user groups. Different segments of the network may have varying levels of risk and security requirements. For example, traffic between external networks and internal zones typically requires stricter scrutiny. Decrypting traffic selectively allows the implementation of customized security policies that provide appropriate levels of protection without compromising performance or privacy for other users. Use the controls available to create targeted decryption policy rules that take into account the most important factors to you. You might even update your decryption policy rules to optimize troubleshooting efforts.
Create rules that are as specific or general as needed and order them appropriately. Many Palo Alto Networks services rely on decryption. Clearly define which types of traffic should be decrypted, ensuring that the rules are specific enough to be effective but broad enough to cover necessary use cases.
Place rules that exclude traffic from decryption at the top. Decryption policy rules are compared against the traffic in sequence.
  • Decryption policy rules are evaluated from top to bottom; more specific rules must precede more general rules.
  • For granular control over how the traffic is decrypted, such as invoking checks for server certificates, unsupported modes, and failures, configure a decryption profile and attach it to decryption policy rules.
Exclude certain traffic from decryption. Create a no-decrypt policy rule for traffic that you choose not to decrypt for business, legal, regulatory, or other reasons. For traffic that breaks decryption for technical reasons, such as certificate pinning, add the server to the SSL decryption exclusion list.
Best Practices:
  • Block known dangerous URL filtering categories such as malware, phishing, dynamic-dns, unknown, command-and-control, proxy-avoidance-and-anonymizers, copyright-infringement, extremism, newly-registered-domain, grayware, and parked. If you must allow any of these categories for business reasons, decrypt them and apply strict Security profiles to the traffic.
  • URL categories that you should always decrypt if you allow them include: online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs, and content-delivery-networks.
In Security policy rules, block the Quick UDP Internet Connections (QUIC) protocol unless you want to allow encrypted browser traffic for business reasons. Chrome and some other browsers establish sessions using QUIC instead of TLS. QUIC uses proprietary encryption that NGFWs can’t decrypt, so potentially dangerous traffic may enter the network as encrypted traffic. Blocking QUIC forces the browser to fall back to TLS and enables de ryption of the traffic.
Create a Security policy rule that blocks QUIC on its UDP service ports (80 and 443) and create a separate rule that blocks the QUIC application. For the rule that blocks UDP ports 80 and 443, create a Service that includes UDP ports 80 and 443.
Before creating a decryption policy rule, understand that the set of IPv4 addresses is treated as a subset of the set of IPv6 addresses, as described in detail in Policy.
Deploy SSL Decryption Using Best Practices provides additional insights.

Define Traffic to Decrypt (Strata Cloud Manager)

  1. Log in to Strata Cloud Manager.
  2. Add a new decryption policy rule.
    1. Select Manage Configuration NGFW and Prisma Access Security Services Decryption.
    2. In the Decryption Policies section, click Add Rule.
  3. Provide basic information to identify the rule.
    1. Enter a descriptive Name.
    2. (Optional) Enter a Description of the rule.
    3. (Optional) Select a Position.
    4. (Optional) Select Tags.
  4. Specify match criteria based on network and policy objects.
    A rule only applies to traffic that matches all specified criteria.
    • Configure the following Source and Destination settings to enforce traffic based on its origin or where it terminates:
      • Zones—Click Add Zones, then select existing Zones (for example, Internet), or click the down arrow and select Any Zone. You can also create a zone.
      • Addresses—Click Add Addresses, then select existing Addresses, or click the down arrow and select Any Address. You can also add Address Groups, External Dynamic Lists, and Regions, or (Destination section) SaaS Application Endpoints.
        To exclude Address objects from decryption:
        1. Specify at least one address, address group, external dynamic list, or region.
        2. Select Exclude (Negate).
      • Users—Click Add User Groups or Add Users, then select existing user groups or local users, or click Add Local User Groups or Add Local Users to create new user groups or users.
        You can also decrypt traffic for Any User or certain types of users: Match pre-logon (users who are connected to GlobalProtect but are not yet logged in), Match known-user, or Match unknown.
      • Devices—Click Add Device Profiles or (Source section) Add HIP Profiles, then select existing profiles or in the case of HIP Profiles, create a Host Information profile. You can also select Any or Match no-hip.
    • Configure Services and URLs settings to match traffic based on service (port and protocols) or URL categories:
      • Service Entities—Click Add Services or Add Service Groups, then either select existing services or service groups or click Create New to create a new entity.
        By default, decryption policy rules decrypt any traffic on TCP and UDP ports. However, you can click the down arrow and select Any Service, if necessary. To match applications on the default application ports, click the down arrow and select application-default.
        The application-default setting can be useful when you create a policy-based decryption exclusion. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications if they are detected on nonstandard ports.
      • URL Category Entities—Click Add URL Categories, then select existing URL categories or click Create New. To apply the rule to any URL category, click the down arrow and select Any URL Category. You can also Add External Dynamic Lists and SaaS Application Endpoints. To create a new external dynamic list while configuring the rule, click Create New.
  5. Specify how traffic that matches the rule is handled.
    1. In the Action and Advanced Inspection section, for Action, select either Decrypt or Do Not Decrypt.
      If you selected Decrypt, select a decryption Type:
      • SSL Forward Proxy.
        SSL Inbound Inspection. Then, Add one or more Certificates for the internal server you want to protect. Decryption policy rules for SSL Inbound Inspection support a maximum of 12 certificates.
        You can decrypt SSL/TLS traffic bound for an internal server that hosts multiple domains, each domain with its own certificate. The NGFW negotiates SSL/TLS connections using the certificate in your policy rule that matches the one the server presents for the requested URL.
        To update certificates for protected internal servers without incurring downtime, renew or obtain a new server certificate before it expires or otherwise becomes invalid. Then, import the certificate and private key onto your NGFW or Strata Cloud Manager, add it to an SSL Inbound Inspection policy rule before installing the same certificate onto your web server. Updating your policy rule with a new certificate while another is active on your web server prepares the NGFW to decrypt traffic to the server regardless of the certificate in use. Configure SSL Inbound Inspection describes this process further.
    2. (Optional) Enforce TLS and Certificate Validation.
    3. (Optional) Apply a decryption profile to block and control various aspects of traffic governed by the decryption policy rule.
      Although optional, always apply a decryption profile to decryption policy rules to protect your network against encrypted threats. You can’t protect yourself against threats you can’t see.
      For SSL decryption, you can define the TLS protocol versions, key exchange algorithms, encryption algorithms, and authentication algorithms allowed for SSL Forward Proxy and SSL Inbound Inspection connections. You can also block sessions with weak protocol versions, expired certificates, and other options.
      The profile settings the NGFW applies to matching traffic depends on the policy rule action (Decrypt or Do Not Decrypt) and decryption type (SSL Forward Proxy and SSL Inbound Inspection). This allows you to use the different decryption profiles with different types of decryption policy rules that apply to different types of traffic and users.
    4. Create or modify a decryption profile if you haven't already.
    5. Under Action and Advanced Inspection, select a Decryption Profile.
  6. Configure decryption logging.
    You can log successful and unsuccessful TLS handshakes and configure external log forwarding.
  7. Save the decryption policy rule.
  8. Click Push Config to begin enforcing the rule.
  9. Test your decryption configuration, and make any necessary adjustments based on your findings.
  10. Choose your next step:

Define Traffic to Decrypt (PAN-OS & Panorama)

  1. Add a new decryption policy rule.
    Select PoliciesDecryption, Add a new decryption policy rule, and give the policy rule a descriptive Name.
  2. Configure the decryption rule to match to traffic based on network and policy objects:
    • Firewall security zones—Select Source or Destination and match to traffic based on the Source Zone or Destination Zone.
    • IP addresses, address objects, or address groups—Select Source or Destination to match to traffic based on the Source Address or the Destination Address. Alternatively, select Negate to exclude the source address list from decryption.
    • Users—Select Source and set the Source User for whom to decrypt traffic. You can decrypt specific user or group traffic or decrypt traffic for certain types of users, such as unknown users or pre-logon users (users who are connected to GlobalProtect but are not yet logged in).
    • Ports and protocols—Select Service/URL Category to set the rule to match to traffic based on service. By default, the policy rule is set to decrypt Any traffic on TCP and UDP ports. You can Add a service or a service group, and optionally set the rule to application-default to match to applications only on the application default ports.
    The application-default setting can be useful when you create a policy-based decryption exclusion. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications when they are detected on nonstandard ports.
    • URLs and URL categories—Select Service/URL Category and decrypt traffic based on:
      • An externally hosted list of URLs that the NGFW retrieves for policy-enforcement (see ObjectsExternal Dynamic Lists).
      • Palo Alto Networks predefined URL categories, which make it easy to decrypt entire categories of allowed traffic. This option is also useful when you create policy-based decryption exclusions because you can exclude sensitive sites by category instead of individually. For example, although you can create a custom URL category to group sites that you do not want to decrypt, you can also exclude financial or healthcare-related sites from decryption based on the predefined Palo Alto Networks URL categories. In addition, you can block risky URL categories and create comfort pages to communicate the reason the sites are blocked, or enable users to opt out of SSL decryption.
        You can use the predefined high-risk and medium-risk URL categories to create a decryption policy rule that decrypts all high-risk and medium-risk URL traffic. Place the rule at the bottom of the rulebase (all decryption exceptions must be above this rule so that you don’t decrypt sensitive information) as a safety net to ensure that you decrypt and inspect all risky traffic. However, if high-risk or medium-risk sites to which you allow access contain personally identifiable information (PII) or other sensitive information that you don’t want to decrypt, either block those sites to avoid allowing encrypted risky traffic while also avoiding privacy issues or create a no- decrypt policy rule to handle the sensitive traffic.
      • Custom URL categories (see ObjectsCustom ObjectsURL Category). For example, you can create a custom URL category to specify a group of sites you need to access for business purposes but that don't support the safest protocols and algorithms, and then apply a customized decryption profile to allow the weaker protocols and algorithms for just those sites (that way, you don’t decrease security by downgrading the decryption profile you use for most sites).
  3. Set the rule to either decrypt matching traffic or to exclude matching traffic from decryption.
    Select Options and set the policy rule Action:
    To decrypt matching traffic:
    1. Set the Action to Decrypt.
    2. Select the Type of decryption:
      • SSL Forward Proxy.
      • SSL Inbound Inspection. Then, Add one or more Certificates for the destination internal server of the inbound SSL traffic. SSL Inbound Inspection policy rules support a maximum of 12 certificates.
        You can configure a decryption policy rule to decrypt SSL/TLS traffic bound for an internal server that hosts multiple domains, each domain with its own certificate. The NGFW negotiates SSL/TLS connections using the certificate in your policy rule that matches the one the server presents for the requested URL.
        To update certificates for protected internal servers without incurring downtime, renew or obtain a new server certificate before it expires or otherwise becomes invalid. Then, import the certificate and private key onto your NGFW or Strata Cloud Manager, add it to an SSL Inbound Inspection policy rule before installing the same certificate onto your web server. Updating your policy rule with a new certificate while another is active on your web server prepares the NGFW to decrypt traffic to the server regardless of the certificate in use. Configure SSL Inbound Inspection describes this process further.
        (Panorama ) Support for multiple certificates in SSL Inbound Inspection policy rules is unavailable in PAN-OS® versions earlier than PAN-OS 10.2. If you push an SSL Inbound Inspection policy rule with multiple certificates from a Panorama management server running PAN-OS 10.2 to a NGFW running an earlier version, the policy rule on the managed NGFW inherits only the first certificate from the alphabetically sorted list of certificates.
        Before pushing your decryption policy rule from Panorama, we recommend you set up different templates or device groups for NGFWs running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to the appropriate NGFWs.
      • SSH Proxy.
    To exclude matching traffic from decryption:
    Set the Action to No Decrypt.
    Apply a no-decryption profile to undecrypted traffic to block sessions with expired certificates and untrusted issuers. Just because you don't decrypt the traffic does not mean you should let just any undecrypted traffic on your network. Server certificate checks help with this.
  4. (Optional) Select a Decryption Profile to perform additional checks on traffic that matches the policy rule.
    For example, set up certificate revocation status verification to ensure that server certificates are valid or block sessions using unsupported protocols or ciphers.
    To create a decryption profile, select ObjectsDecryption Profile.
    Although optional, always apply a decryption profile to decryption policy rules to protect your network against encrypted threats. You can’t protect yourself against threats you can’t see.
    1. Create a decryption policy rule or open an existing rule to modify it.
    2. Select Options and select a Decryption Profile to block and control various aspects of the traffic matched to the rule.
      The profile rule settings applied to matching traffic depends on the policy rule Action (Decrypt or No Decrypt) and the policy rule Type (SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy). This allows you to use the different decryption profiles with different types of decryption policy rules that apply to different types of traffic and users.
    3. Click OK.
  5. Configure decryption logging (configure whether to log both successful and unsuccessful TLS handshakes and configure decryption log forwarding).
  6. Click OK to save the rule.
  7. Commit your changes.
  8. Test your decryption configuration.
  9. Choose your next step...

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.