End-of-Life (EoL)

Create a Decryption Policy Rule

Create a decryption policy rule to define traffic for the firewall to decrypt and the type of decryption you want the firewall to perform: SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy decryption. You can also use a decryption policy rule to define Decryption Exceptions.
  1. Select
    Policies
    Decryption
    and
    Add
    a new decryption policy rule.
  2. Give the policy rule a descriptive
    Name
    .
  3. Configure the decryption rule to match to traffic based on network and policy objects:
    • Firewall security zones
      —Select
      Source
      and/or
      Destination
      and match to traffic based on the
      Source Zone
      and/or the
      Destination Zone
      .
    • IP addresses, address objects, and/or address groups
      —Select
      Source
      and/or
      Destination
      to match to traffic based on
      Source Address
      and/or the
      Destination Address
      . Alternatively, select
      Negate
      to exclude the source address list from decryption.
    • Users
      —Select
      Source
      and set the
      Source User
      for whom to decrypt traffic. You can decrypt specific user or group traffic, or decrypt traffic for certain types of users, such as unknown users or pre-logon users (users that are connected to GlobalProtect but are not yet logged in).
    • Ports and protocols
      —Select
      Service/URL Category
      to set the rule to match to traffic based on service. By default, the policy rule is set to decrypt
      Any
      traffic on TCP and UDP ports. You can
      Add
      a service or a service group, and optionally set the rule to
      application-default
      to match to applications only on the application default ports.
    The application-default setting is useful to Configure Decryption Exceptions. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications when they are detected on non-standard ports
    • URLs and URL categories
      —Select Service/URL Category and decrypt traffic based on:
      • An externally-hosted list of URLs that the firewall retrieves for policy-enforcement (see
        Objects
        External Dynamic Lists
        ).
      • Custom URL categories (see
        Objects
        Custom Objects
        URL Category
        ).
      • Palo Alto Networks URL categories. This option is useful to Configure Decryption Exceptions. For example, you could create a custom URL category to group sites that you do not want to decrypt, or you could exclude financial or healthcare-related sites from decryption based on the Palo Alto Networks URL categories.
  4. Set the action the policy rule enforces on matching traffic: the rule can either decrypt matching traffic or exclude matching traffic from decryption.
    Select
    Options
    and set the policy rule
    Action
    :
    Decrypt matching traffic:
    1. Select
      Decrypt
      .
    2. Set the
      Type
      of decryption for the firewall to perform on matching traffic:
    Exclude matching traffic from decryption:
    Select
    No Decrypt
    .
  5. (Optional)
    Select a
    Decryption Profile
    to apply the profile settings to decrypted traffic. (To Create a Decryption Profile, select
    Objects
    Decryption Profile
    ).
  6. Click
    OK
    to save the policy.

Recommended For You