Policies > Decryption
a new decryption policy rule.
Give the policy rule a descriptive
Configure the decryption rule to match to traffic based on network and policy objects:
Firewall security zones
and match to traffic based on the
IP addresses, address objects, and/or address groups
to match to traffic based on
Destination Address. Alternatively, select
to exclude the source address list from decryption. Users—Select
and set the
for whom to decrypt traffic. You can decrypt specific user or group traffic, or decrypt traffic for certain types of users, such as unknown users or pre-logon users (users that are connected to GlobalProtect but are not yet logged in).
Ports and protocols
to set the rule to match to traffic based on service. By default, the policy rule is set to decrypt
traffic on TCP and UDP ports. You can
a service or a service group, and optionally set the rule to
to match to applications only on the application default ports.
The application-default setting is useful to
Configure Decryption Exceptions. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications when they are detected on non-standard ports
URLs and URL categories
—Select Service/URL Category and decrypt traffic based on:
An externally-hosted list of URLs that the firewall retrieves for policy-enforcement (see
Objects > External Dynamic Lists).
Custom URL categories (see
Objects > Custom Objects > URL Category).
Palo Alto Networks URL categories. This option is useful to
Configure Decryption Exceptions. For example, you could create a custom URL category to group sites that you do not want to decrypt, or you could exclude financial or healthcare-related sites from decryption based on the Palo Alto Networks URL categories.
Set the action the policy rule enforces on matching traffic: the rule can either decrypt matching traffic or exclude matching traffic from decryption.
and set the policy rule
Decrypt matching traffic:
of decryption for the firewall to perform on matching traffic:
SSL Forward Proxy
SSL Inbound Inspection. If you want to enable SSL Inbound Inspection, also select the
for the destination internal server for the inbound SSL traffic.
Exclude matching traffic from decryption:
to apply the profile settings to decrypted traffic. (To
Create a Decryption Profile, select
Objects > Decryption Profile).