>
    Apply Granular Settings to Traffic Matching a Decryption Policy Rule
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Enable Decryption
    5. Apply Granular Settings to Traffic Matching a Decryption Policy Rule
    Download PDF
    Network Security

    Apply Granular Settings to Traffic Matching a Decryption Policy Rule

    Table of Contents

    Apply Granular Settings to Traffic Matching a Decryption Policy Rule

    Define protocol versions, algorithms, certificate verification, and other settings in a decryption profile for traffic meeting the criteria in associated decryption policy rules.
    Where Can I Use This?What Do I Need?
    No separate license required for decryption when using NGFWs or Prisma Access.
    Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
    Configure a decryption profile to define SSL/TLS connection settings and apply various checks to traffic that you decrypt or exclude from decryption. Decryption profiles provide granular control over decrypted and nondecrypted sessions, enabling you to tailor decryption policy rules to meet specific requirements. In SSL/TLS decryption profiles, you can specify the cipher suites you support for SSL/TLS connections and enable checks, including for unsupported modes, failures, and certificate validity. In contrast, a no-decryption profile only verifies the validity of a server certificate or the trustworthiness of the certificate issuer for traffic that you intentionally don't decrypt. SSH Proxy profiles control only unsupported mode checks and failure checks. For descriptions of each setting, see Summary of Decryption Profile Settings.
    After you create a decryption profile, attach it to the appropriate decryption policy rules. Next-Generation Firewalls (NGFWs) enforce the profile settings on traffic matching all the criteria in the rule.
    If an NGFW is in FIPS-CC mode and managed by a Panorama™ management server in standard mode, a decryption profile must be created locally on the NGFW. Decryption profiles created on Panorama in standard mode contain references to the 3DES and RC4 encryption algorithms and the MD5 authentication algorithm that aren't supported and cause pushes to managed NGFWs to fail.

    Best Practices and Considerations for Decryption Profiles

    • Always apply a decryption profile to decryption policy rules to protect your network against sessions with expired certificates or untrusted issuers. You can’t protect yourself against threats you can’t see.
      Use the strongest ciphers that you can. Weak protocols and weak algorithms contain known vulnerabilities that attackers can exploit. Set Min Version to TLSv1.3 and Max Version to Max to block weak protocols.
    • Create separate decryption profiles when necessary to maximize security, and reuse them where applicable.
      • For example, suppose a key partner or contractor uses legacy systems with weak protocols or algorithms. You can create a decryption profile that allows the weaker protocols or algorithms and attach it to a decryption policy rule that applies only to the relevant traffic (for example, the source IP address of the partner).
      • If you need to allow client authentication, create a decryption profile with client authentication settings, and apply it only to traffic that requires client authentication.
        Create separate profiles with protocol settings that match the capabilities of the servers whose inbound or outbound traffic you are inspecting.
    • Many mobile applications use pinned certificates. Because TLSv1.3 encrypts certificate information, the NGFW can’t automatically add these mobile applications to the SSL Decryption Exclusion List. For these applications, set the protocol Max Version to TLSv1.3, or create or apply a no-decryption policy rule to the traffic.
    • For SSL Forward Proxy traffic and no-decrypt traffic (traffic that you choose not to decrypt), configure both certificate revocation list (CRL) and Online Certificate Status Revocation (OCSP) certificate revocation checks.
    Best Practices By Profile Type
    SSL Forward Proxy
    • Block sessions with expired certificates
    • Block sessions with untrusted issuers
    • Block sessions with unsupported protocol versions
    • Block sessions with unsupported cipher suites
    • Block sessions with client authentication (unless an important application requires it)
    SSL Inbound Inspection
    • Block sessions with unsupported versions
    • Block unsupported cipher suites
    No Decryption
    Don’t apply a no-decryption profile to TLSv1.3 traffic. The certificate information is encrypted, so the NGFW can’t block sessions based on certificate information.
    • Block sessions with expired certificates
    • Block sessions with untrusted issuers
    SSH Proxy
    • Block sessions with unsupported versions
    • Block sessions with unsupported algorithms
    For more insights, see Deploy SSL Decryption Using Best Practices.

    Apply Granular Settings to Traffic Matching a Decryption Policy Rule (Strata Cloud Manager)

    1. Create a decryption profile.
      1. Select Manage Configuration Security Services Decryption. Under Decryption Profiles, click Add Profile.
      2. Enter a descriptive Name for the profile.
    2. Specify TLS protocol versions and cipher suites to support for TLS connections:
      Under Handshake Settings:
      1. Select a Protocol Min Version: SSLv3.0, TLSv1.0 through TLSv1.3.
      2. Select a Protocol Max Version: SSLv3.0, TLSv1.0 through TLSv1.3, and Max.
        Set the Protocol Max Version to Max to support the newest TLS protocol version when available.
      3. Add or Remove the desired Key Exchange Algorithms.
        The RSA, DHE, and ECDHE key exchange algorithms are enabled by default.
        To remove an algorithm, select the algorithm and then click Remove.
      4. Add or Remove the desired Encryption Algorithms.
      5. Add or Remove the desired Authentication Algorithms.
        The MD5 algorithm is blocked by default.
    3. (Optional) Configure Server Certificate Verification settings, Unsupported Mode Checks, Failure Checks, and Client Extension settings for SSL Forward Proxy.
      1. For Server Certificate Verification, select Block sessions with expired certificates or Block sessions with untrusted issuers.
      2. For Unsupported Mode Checks, select Block sessions with unsupported versions or Block sessions with unsupported cipher suites.
      3. (Optional) To configure additional Server Certificate Verification settings, Unsupported Mode Checks, Failure Checks, and Client Extension settings, select Advanced.
        An Advanced SSL Forward Proxy Settings overlay opens.
        • For Server Certificate Verification, you can configure these additional settings:
          • Block sessions with unknown certificate status
          • Block sessions on certificate status check timeout
          • Restrict certificate extensions
          • Append certificate's CN value to SAN extension
        • For Unsupported Mode Checks, you can Block sessions with client authentication.
        • For Failure Checks, you can Block downgrade on no resource.
        • For Client Extension, you can Strip ALPN.
      4. Save the advanced settings.
    4. (Optional) Configure Unsupported Mode Checks and Failure Checks for SSL Inbound Inspection.
      1. For Unsupported Mode Checks, select Block sessions with unsupported versions or Block sessions with unsupported cipher suites.
      2. For Failure Checks, select Block sessions if resources not available or Block sessions if HSM not available.
    5. (Optional) Configure Server Certificate Verification settings for traffic you don't decrypt.
      For Server Certificate Verification, select Block sessions with expired certificates or Block sessions with untrusted issuers.
      Apply no-decryption profiles to decryption policy rules that control traffic excluded from decryption for compliance, legal, and nontechnical reasons. If a server breaks decryption for technical reasons, add it to the Global Decryption Exclusion list instead.
    6. Save the profile.
    7. Commit your changes.
      Select Push ConfigPush.
    8. Apply the profile to the appropriate decryption policy rules.

    Apply Granular Settings to Traffic Matching a Decryption Policy Rule (PAN-OS & Panorama)

    1. Create a decryption profile.
      1. Select ObjectsDecryption Profile, and then click Add.
      2. Enter a descriptive Name.
      3. (Optional) To make the profile available across all virtual systems on an NGFW or each Panorama device group, select Shared.
    2. (Decryption Mirroring Only) Enable an Ethernet Interface to use to copy and forward decrypted traffic.
      Separate from this task, follow the steps to configure Decryption Port Mirroring. Be aware of local privacy regulations that prohibit mirroring or control the type of traffic that you can mirror. Decryption Port Mirroring requires a Decryption Port Mirroring license.
    3. (Optional) Enable various checks, and configure TLS connection parameters.
      For descriptions of these settings, see Summary of Decryption Profile Settings.
      1. Select SSL Decryption, and then select either SSL Forward Proxy or SSL Inbound Inspection.
        • Configure Server Certificate Verification, Unsupported Mode Checks, Failure Checks, and Client Extension settings for SSL Forward Proxy.
        • Configure Unsupported Mode Checks and Failure Checks for SSL Inbound Inspection.
      2. Specify TLS protocol versions and cipher suites to support for TLS connections:
        1. Select SSL Protocol Settings.
        2. For Protocol Versions, select a Min Version and a Max Version.
          Set the Max Version to Max to support the newest TLS protocol version when available.
        3. Enable or disable the desired Key Exchange Algorithms. The RSA, DHE, and ECDHE key exchange algorithms are enabled by default.
        4. Enable or disable the desired Encryption Algorithms.
        5. Enable or disable the desired Authentication Algorithms.
          The MD5 algorithm is blocked by default.
    4. (Optional) Configure Server Certificate Verification settings for traffic you don't decrypt.
      Apply no-decryption profiles to decryption policy rules that control traffic excluded from decryption for compliance, legal, and nontechnical reasons. If a server breaks decryption for technical reasons, add it to the SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) instead.
      1. Select No Decryption.
      2. Enable Block sessions with expired certificates or Block sessions with untrusted issuers.
    5. (Optional) Configure Unsupported Mode Checks and Failure Checks for SSH traffic.
      1. Select SSH Proxy.
      2. For Unsupported Mode Checks, enable Block sessions with unsupported versions or Block sessions with unsupported algorithms.
      3. For Failure Checks, enable Block sessions on SSH errors or Block sessions if resources not available.
    6. Apply the profile to the appropriate decryption policy rules.
    7. Commit your configuration.

    © 2025 Palo Alto Networks, Inc. All rights reserved.