Decryption profiles enable you to block and control specific aspects of the SSL forward proxy, SSL inbound inspection, and SSH traffic. After you create a decryption profile, you can then add that profile to a decryption policy; any traffic matched to the decryption policy will be enforced according to the profile settings.
You can also control the trusted CAs that your firewall trusts. For more information, refer to Manage Default Trusted Certificate Authorities.
A default decryption profile is configured on the firewall, and is automatically included in new decryption policies (you cannot modify the default decryption profile). Click Add to create a new decryption profile, or select an existing profile to Clone or modify it.
What do you want to know? See:
Add a new decryption profile. Decryption Profile General Settings
Enable port mirroring for decrypted traffic.
Block and control SSL decrypted traffic. Settings to Control Decrypted SSL Traffic
Block and control traffic that you have excluded from decryption (for example, traffic classified as health and medicine or financial services). Settings to Control Traffic that is not Decrypted
Block and control decrypted SSH traffic. Settings to Control Decrypted SSH Traffic
Decryption Profile General Settings
The following table describes the general settings for decryption profiles.
Decryption Profile — General Setting Description
Name Enter a profile name (up to 31 characters). This name appears in the list of decryption profiles when defining decryption policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Shared Select this option if you want the profile to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the profile will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Decryption Mirroring Interface ( PA-3000 Series , PA-5000 Series , and PA-7000 Series firewalls only ) Select an Interface to use for decryption port mirroring. Before you can enable decryption port mirroring, you must obtain a Decryption Port Mirror license, install the license, and reboot the firewall.
Forwarded Only ( PA-3000 Series , PA-5000 Series , and PA-7000 Series firewalls only ) Select Forwarded Only if you want to mirror decrypted traffic only after Security policy enforcement. With this option, only traffic that is forwarded through the firewall is mirrored. This option is useful if you are forwarding the decrypted traffic to other threat detection devices, such as a DLP device or another intrusion prevention system (IPS). If you clear this selection (the default setting), the firewall will mirror all decrypted traffic to the interface before security policies lookup, which allows you to replay events and analyze traffic that generates a threat or triggers a drop action.
Settings to Control Decrypted SSL Traffic
The following table describes the settings you can use to control SSL traffic that has been decrypted using either SSL Forward Proxy decryption or SSL Inbound Inspection. You can use these settings to limit or block SSL sessions based on criteria including the status of the external server certificate, the use of unsupported cipher suites or protocol versions, or the availability of system resources to process decryption.
SSL Decryption Tab Setting Description
SSL Forward Proxy Tab Select options to limit or block SSL traffic decrypted using SSL Forward Proxy.
Server Certificate Validation —Select options to control server certificates for decrypted SSL traffic.
Block sessions with expired certificates Terminate the SSL connection if the server certificate is expired. This will prevent a user from being able to accept an expired certificate and continuing with an SSL session.
Block sessions with untrusted issuers Terminate the SSL session if the server certificate issuer is untrusted.
Block sessions with unknown certificate status Terminate the SSL session if a server returns a certificate revocation status of “unknown”. Certificate revocation status indicates if trust for the certificate has been or has not been revoked.
Block sessions on the certificate status check timeout Terminate the SSL session if the certificate status cannot be retrieved within the amount of time that the firewall is configured to stop waiting for a response from a certificate status service. You can configure Certificate Status Timeout value when creating or modifying a certificate profile ( Device > Certificate Management > Certificate Profile).
Restrict certificate extensions Limits the certificate extensions used in the dynamic server certificate to key usage and extended key usage.
Unsupported Mode Checks —Select options to control unsupported SSL applications.
Block sessions with unsupported version Terminate sessions if PAN-OS does not support the “client hello” message. PAN-OS supports SSLv3, TLS1.0, TLS1.1, and TLS1.2.
Block sessions with unsupported cipher suites Terminate the session if the cipher suite specified in the SSL handshake if it is not supported by PAN-OS.
Block sessions with client authentication Terminate sessions with client authentication for SSL forward proxy traffic.
Failure Checks —Select the action to take if system resources are not available to process decryption.
Block sessions if resources not available Terminate sessions if system resources are not available to process decryption.
Block sessions if HSM not available Terminate sessions if a hardware security module (HSM) is not available to sign certificates.
For unsupported modes and failure modes, the session information is cached for 12 hours, so future sessions between the same hosts and server pair are not decrypted. Enable the options to block those sessions instead.
SSL Inbound Inspection Tab Select options to limit or block SSL traffic decrypted using SSL Inbound Inspection.
Unsupported Mode Checks —Select options to control sessions if unsupported modes are detected in SSL traffic.
Block sessions with unsupported versions Terminate sessions if PAN-OS does not support the “client hello” message. PAN-OS supports SSLv3, TLS1.0, TLS1.1, and TLS1.2.
Block sessions with unsupported cipher suites Terminate the session if the cipher suite used is not supported by PAN-OS.
Failure Checks —Select the action to take if system resources are not available.
Block sessions if resources not available Terminate sessions if system resources are not available to process decryption.
Block sessions if HSM not available Terminate sessions if a hardware security module (HSM) is not available to decrypt the session key.
SSL Protocol Settings Tab Select the following settings to enforce protocol versions and cipher suites for SSL session traffic.
Protocol Versions Enforce the use of minimum and maximum protocol versions for the SSL session.
Min Version Set the minimum protocol version that can be used to establish the SSL connection.
Max Version Set the maximum protocol version that can be used to establish the SSL connection. You can choose the option Max so that no maximum version is specified; in this case, protocol versions that are equivalent to or are a later version than the selected minimum version are supported.
Key Exchange Algorithms Enforce the use of the selected key exchange algorithms for the SSL session. To implement Perfect Forward Secrecy (PFS) for SSL Forward Proxy decrypted traffic, you can select DHE to enable Diffie-Hellman key exchange based PFS or ECDHE to enable elliptic curve Diffie-Hellman-based PFS.
Encryption Algorithms Enforce the use of the selected encryption algorithms for the SSL session.
Authentication Algorithms Enforce the use of the selected authentication algorithms for the SSL session.
Settings to Control Traffic that is not Decrypted
You can use the No Decryption tab to enable settings to block traffic that is matched to a decryption policy configured with the No Decrypt action ( Policies > Decryption > Action). Use these options to control server certificates for the session, though the firewall does not decrypt and inspect the session traffic.
No Decryption Tab Setting Description
Block sessions with expired certificates Terminate the SSL connection if the server certificate is expired. This will prevent a user from being able to accept an expired certificate and continuing with an SSL session.
Block sessions with untrusted issuers Terminate the SSL session if the server certificate issuer is untrusted.
Settings to Control Decrypted SSH Traffic
The following table describes the settings you can use to control decrypted inbound and outbound SSH traffic. These settings allow you to limit or block SSH tunneled traffic based on criteria including the use of unsupported algorithms, the detection of SSH errors, or the availability of resources to process SSH Proxy decryption.
SSH Proxy Tab Setting Description
Unsupported Mode Checks —Use these options to control sessions if unsupported modes are detected in SSH traffic. Supported SSH version is SSH version 2.
Block sessions with unsupported versions Terminate sessions if the “client hello” message is not supported by PAN-OS.
Block sessions with unsupported algorithms Terminate sessions if the algorithm specified by the client or server is not supported by PAN-OS.
Failure Checks —Select actions to take if SSH application errors occur and if system resources are not available.
Block sessions on SSH errors Terminate sessions if SSH errors occur.
Block sessions if resources not available Terminate sessions if system resources are not available to process decryption.

Related Documentation