New Decryption Features
Decryption for Elliptical Curve Cryptography (ECC) Certificates
Firewalls enabled to decrypt SSL traffic now decrypt SSL traffic from websites and applications using ECC certificates, including Elliptical Curve Digital Signature Algorithm (ECDSA) certificates. As some organizations transition to using ECC certificates to take advantage of benefits such as strong keys and small certificate size, this feature ensures that you maintain visibility into and can safely enable ECC-secured application and website traffic.
Decryption for websites and applications using ECC certificates is not supported for traffic that is mirrored to the firewall; encrypted traffic using ECC certificates must pass through the firewall directly for the firewall to decrypt it.
Management for Decryption Exclusions
You now have increased flexibility to manage traffic excluded from decryption. New, centralized SSL decryption exclusion management enables you to both create your own custom decryption exclusions, and to review Palo Alto Networks predefined decryption exclusions in a single place:
Perfect Forward Secrecy (PFS) Support with SSL Inbound Inspection
PAN-OS 7.1 introduced PFS for SSL Forward Proxy decryption; now, in PAN-OS 8.0, PFS support is extended to SSL Inbound Inspection. PFS ensures that data from sessions undergoing decryption cannot later be retrieved if server private keys are compromised. You can enforce Diffie-Hellman key exchange-based PFS (DHE) and elliptic curve Diffie-Hellman (ECDHE)-based PFS for decrypted SSL traffic.