1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. Decryption Features
    5. Perfect Forward Secrecy (PFS) Support
    Previous
    Next
    The firewall now supports Perfect Forward Secrecy (PFS) for SSL Forward Proxy decrypted sessions. PFS is a secure communication protocol that prevents the compromise of one encrypted session from leading to the compromise of multiple encrypted sessions. With PFS, a server generates unique private keys for each secure session that it establishes with a client. If a server private key is compromised, only the single session established with that key is vulnerable—an attacker cannot retrieve data from past and future sessions because the server establishes each connection with a uniquely generated key.
    In releases prior to PAN-OS 7.1, the firewall did not decrypt SSL sessions established using PFS key exchange algorithms. Depending on your security policy, the firewall either blocked these SSL sessions without decrypting them or decrypted the SSL sessions without maintaining PFS. Now, for SSL sessions established with PFS key exchange algorithms, the firewall both decrypts the SSL session and preserves PFS protection for both past and future sessions.
    Decryption support for ephemeral Diffie-Hellman (DHE)-based PFS and elliptic curve Diffie-Hellman (ECDHE)-based PFS is enabled by default when you upgrade a firewall to PAN-OS 7.1 for sessions decrypted with the SSL Forward Proxy decryption method. You can disable support for these PFS key exchange algorithms by modifying the firewall decryption profile you apply to SSL Forward Proxy decrypted traffic.
    Modify PFS Support for Decrypted SSL Traffic
    Before You Begin: If the firewall is not already configured to decrypt SSL traffic from internal clients to the web, start by configuring SSL Forward Proxy decryption.
    ( New ) Enable or disable support to safely decrypt SSL sessions with Perfect Forward Secrecy (PFS). Select Objects > Decryption Profile and Add or modify an existing decryption rule. Select SSL Decryption > SSL Protocol Settings. ( New Settings ) Modify support to decrypt SSL sessions established using the DHE and ECDHE key exchange algorithms as needed:
    Click OK. After an upgrade to PAN-OS 7.1, both the DHE and ECDHE options are selected by default.
    Apply the updated PFS settings to decrypted traffic. Verify that the updated decryption profile rule is attached to an existing decryption policy rule: Select Decryption > Policies and scan the Decryption Profile column for the policy rule. Check the Type column to make sure that the decryption profile rule with the updated PFS settings is attached to an SSL Forward Proxy policy rule. Add the updated decryption profile rule to a decryption policy rule: Select Policies > Decryption. Add or modify an existing policy as needed. Select Options and set the policy rule action to Decrypt and the policy rule type to SSL Forward Proxy. From the Decryption Profile drop-down, select the updated profile rule with the modified PFS settings. Click OK and Commit.
    Previous
    Next

    Related Documentation

    Objects > Decryption Profile

    Objects > Decryption Profile Decryption profiles enable you to block and control specific aspects of the SSL forward proxy, SSL inbound inspection, and SSH traffic. ...

    Decryption Features

    Decryption Features Transparent Certificate Distribution for SSL Forward Proxy Perfect Forward Secrecy (PFS) Support ...

    PAN-OS 7.1 Decryption Cipher Suites

    List of cipher suites supported for IPSec on firewalls running PAN-OS® 7.1 in normal operation mode. ...

    PAN-OS 7.1 IPSec Cipher Suites

    List of cipher suites supported for IPSec on firewalls running PAN-OS® 7.1 in normal operation mode. ...

    Policies > Decryption

    Policies > Decryption You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption policies can apply to Secure Sockets Layer ...

    Forward Decrypted SSL Traffic for WildFire Analysis

    Forward Decrypted SSL Traffic for WildFire Analysis Enable the firewall to forward decrypted SSL traffic for WildFire analysis. Traffic that the firewall decrypts is evaluated ...

    Transparent Certificate Distribution for SSL Forward Proxy

    Transparent Certificate Distribution for SSL Forward Proxy You can now easily and transparently install the trusted root certificate authority (CA) certificates that are required for ...

    Device > Setup > Session

    Device > Setup > Session Select Device > Setup > Session to configure session age-out times, decryption certificate settings, and global session-related settings such as ...

    Device > Virtual Systems

    Device > Virtual Systems A virtual system (vsys) is an independent (virtual) firewall instance that you can separately manage within a physical firewall. Each vsys ...

    SSL/SSH Session End Reasons

    SSL/SSH Session End Reasons The Session End Reason column in Traffic logs now includes additional end reasons pertaining to terminated SSL/SSH sessions. You can use ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo