New Decryption Features Description
Transparent Certificate Distribution for SSL Forward Proxy You can now use GlobalProtect to easily distribute the forward trust certificate required for SSL Forward Proxy decryption to client systems.
Perfect Forward Secrecy (PFS) Support with SSL Forward Proxy Decryption Palo Alto Networks firewalls now support PFS when performing SSL Forward Proxy decryption. PFS ensures that data from the session undergoing SSL Forward Proxy decryption cannot later be retrieved in the event that server private keys are compromised. You can enforce Diffie-Hellman key exchange-based PFS (DHE) and/or elliptic curve Diffie-Hellman-based PFS (ECDHE) with SSL Forward Proxy.

Related Documentation