Create a decryption policy rule to define traffic for the firewall to decrypt and the type of decryption you want the firewall to perform: SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy decryption. You can also use a decryption policy rule to define Decryption Exceptions.
Configure a Decryption Policy Rule
Select Policies > Decryption and Add a new decryption policy rule.
Give the policy rule a descriptive Name.
Configure the decryption rule to match to traffic based on network and policy objects: Firewall security zones —Select Source and/or Destination and match to traffic based on the Source Zone and/or the Destination Zone. IP addresses, address objects, and/or address groups —Select Source and/or Destination to match to traffic based on Source Address and/or the Destination Address. Alternatively, select Negate to exclude the source address list from decryption. Users—Select Source and set the Source User for whom to decrypt traffic. You can decrypt specific user or group traffic, or decrypt traffic for certain types of users, such as unknown users or pre-logon users (users that are connected to GlobalProtect but are not yet logged in). Ports and protocols —Select Service/URL Category to set the rule to match to traffic based on service. By default, the policy rule is set to decrypt Any traffic on TCP and UDP ports. You can Add a service or a service group, and optionally set the rule to application-default to match to applications only on the application default ports. The application-default setting is useful to Configure Decryption Exceptions. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications when they are detected on non-standard ports URLs and URL categories —Select Service/URL Category and decrypt traffic based on: An externally-hosted list of URLs that the firewall retrieves for policy-enforcement (see Objects > External Dynamic Lists). Custom URL categories (see Objects > Custom Objects > URL Category). Palo Alto Networks URL categories. This option is useful to Configure Decryption Exceptions. For example, you could create a custom URL category to group sites that you do not want to decrypt, or you could exclude financial or healthcare-related sites from decryption based on the Palo Alto Networks URL categories.
Set the action the policy rule enforces on matching traffic: the rule can either decrypt matching traffic or exclude matching traffic from decryption. Select Options and set the policy rule Action: Decrypt matching traffic: Select Decrypt . Set the Type of decryption for the firewall to perform on matching traffic: SSL Forward Proxy SSH Proxy SSL Inbound Inspection. If you want to enable SSL Inbound Inspection, also select the Certificate for the destination internal server for the inbound SSL traffic. Exclude matching traffic from decryption: Select No Decrypt.
(Optional) Select a Decryption Profile to apply the profile settings to decrypted traffic. (To Create a Decryption Profile, select Objects > Decryption Profile).
Click OK to save the policy.
Choose your next step... Fully enable the firewall to decrypt traffic: Configure SSL Forward Proxy Configure SSL Inbound Inspection Configure SSH Proxy Configure Decryption Exceptions

Related Documentation