The firewall now supports Perfect Forward Secrecy (PFS) for SSL Forward Proxy decrypted sessions. PFS is a secure communication protocol that prevents the compromise of one encrypted session from leading to the compromise of multiple encrypted sessions. With PFS, a server generates unique private keys for each secure session that it establishes with a client. If a server private key is compromised, only the single session established with that key is vulnerable—an attacker cannot retrieve data from past and future sessions because the server establishes each connection with a uniquely generated key.
In releases prior to PAN-OS 7.1, the firewall did not decrypt SSL sessions established using PFS key exchange algorithms. Depending on your security policy, the firewall either blocked these SSL sessions without decrypting them or decrypted the SSL sessions without maintaining PFS. Now, for SSL sessions established with PFS key exchange algorithms, the firewall both decrypts the SSL session and preserves PFS protection for both past and future sessions.
Decryption support for ephemeral Diffie-Hellman (DHE)-based PFS and elliptic curve Diffie-Hellman (ECDHE)-based PFS is enabled by default when you upgrade a firewall to PAN-OS 7.1 for sessions decrypted with the SSL Forward Proxy decryption method. You can disable support for these PFS key exchange algorithms by modifying the firewall decryption profile you apply to SSL Forward Proxy decrypted traffic.
Modify PFS Support for Decrypted SSL Traffic
Before You Begin: If the firewall is not already configured to decrypt SSL traffic from internal clients to the web, start by configuring SSL Forward Proxy decryption.
( New ) Enable or disable support to safely decrypt SSL sessions with Perfect Forward Secrecy (PFS). Select Objects > Decryption Profile and Add or modify an existing decryption rule. Select SSL Decryption > SSL Protocol Settings. ( New Settings ) Modify support to decrypt SSL sessions established using the DHE and ECDHE key exchange algorithms as needed:
Click OK. After an upgrade to PAN-OS 7.1, both the DHE and ECDHE options are selected by default.
Apply the updated PFS settings to decrypted traffic. Verify that the updated decryption profile rule is attached to an existing decryption policy rule: Select Decryption > Policies and scan the Decryption Profile column for the policy rule. Check the Type column to make sure that the decryption profile rule with the updated PFS settings is attached to an SSL Forward Proxy policy rule. Add the updated decryption profile rule to a decryption policy rule: Select Policies > Decryption. Add or modify an existing policy as needed. Select Options and set the policy rule action to Decrypt and the policy rule type to SSL Forward Proxy. From the Decryption Profile drop-down, select the updated profile rule with the modified PFS settings. Click OK and Commit.

Related Documentation