End-of-Life (EoL)

Perfect Forward Secrecy (PFS) for Inbound SSL Sessions

PFS support is now extended to sessions decrypted using SSL Inbound Inspection (PFS support for SSL Forward Proxy was introduced in PAN-OS 7.1). PFS is a secure communication protocol that prevents the compromise of one encrypted session from leading to the compromise of multiple encrypted sessions. With PFS, a server generates unique private keys for each secure session that it establishes with a client. If a server private key is compromised, only the single session established with that key is vulnerable—an attacker cannot retrieve data from past and future sessions because the server establishes each connection with a uniquely generated key.
This extended support for ephemeral Diffie-Hellman (DHE)-based PFS and elliptic curve Diffie-Hellman (ECDHE)-based PFS is enabled by default after the upgrade to PAN-OS 8.0—note that these settings were also enabled by default in PAN-OS 7.1, though in that release version, support covered only SSL Forward Proxy decrypted traffic.
If you use the DHE or ECDHE key exchange algorithms to enable PFS, you cannot use a hardware security module (HSM) to store the private keys used for SSL Inbound Inspection.
  1. Select
    Objects
    Decryption Profile
    ,
    Add
    or modify a profile, and select
    SSL Decryption
    SSL Protocol Settings
    to view settings you can use to enable or disable
    DHE
    and
    ECDHE
    support for decrypted SSL sessions (ECDHE and DHE support are enabled by default).
  2. To confirm that the PFS settings are being applied to decrypted traffic, select
    Decryption
    Policies
    and scan the Decryption Profile column. Check that the default decryption profile, or a custom profile like the profile in step 1, is attached to a decryption policy rule.
  3. To learn more about setting up decryption for inbound SSL traffic, get started with SSL Inbound Inspection.

Recommended For You