SSL Inbound Inspection decrypts and inspects traffic entering your network for threats before it reaches your internal servers. Organizations, especially in highly regulated industries, often store the private keys for server certificates on hardware security modules (HSMs) for tamper-proof security. However, PAN-OS® 11.1 and earlier versions couldn't perform inbound inspection of TLSv1.3 sessions when private keys resided on an HSM. As a workaround, Next-Generation Firewalls (NGFWs) automatically downgraded TLSv1.3 connections to TLSv1.2. The downgraded connections lacked the security and performance benefits unique to TLSv1.3.

PAN-OS 11.2 resolves this issue by adding support for inbound inspection of TLSv1.3 sessions when private keys are protected by an HSM. After you enable this feature, you can both secure private keys with HSMs and gain full visibility into traffic secured by the latest TLS version. This feature is compatible only with Thales Luna Network HSMs and Entrust nShield HSMs and requires connectivity between your HSMs and virtual or physical NGFWs.