End-of-Life (EoL)

Policies > Decryption

You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption policies can apply to Secure Sockets Layer (SSL) including SSL encapsulated protocols such as IMAP(S), POP3(S), SMTP(S), and FTP(S), and Secure Shell (SSH) traffic. SSH decryption can be used to decrypt outbound and inbound SSH traffic to assure that secure protocols are not being used to tunnel disallowed applications and content.
Add a decryption policy rule to define traffic that you want to decrypt (for example, you can decrypt traffic based on URL categorization). Decryption policy rules are compared against the traffic in sequence, so more specific rules must precede the more general ones.
SSL forward proxy decryption requires the configuration of a trusted certificate that will be presented to the user if the server to which the user is connecting possesses a certificate signed by a CA trusted by the firewall. Create a certificate on the
Certificate Management
page and then click the name of the certificate and select
Forward Trust Certificate
Certain applications will not function if they are decrypted by the firewall. To prevent this from occurring, PAN-OS® will not decrypt the SSL traffic for these applications and the decryption rule settings will not apply.
The following tables describe the decryption policy settings:
Looking for more?

Recommended For You