Policies > Decryption

You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption policies can apply to Secure Sockets Layer (SSL) including SSL encapsulated protocols such as IMAP(S), POP3(S), SMTP(S), and FTP(S), and Secure Shell (SSH) traffic. SSH decryption can be used to decrypt outbound and inbound SSH traffic to assure that secure protocols are not being used to tunnel disallowed applications and content.

Add a decryption policy rule to define traffic that you want to decrypt (for example, you can decrypt traffic based on URL categorization). Decryption policy rules are compared against the traffic in sequence, so more specific rules must precede the more general ones.

SSL forward proxy decryption requires the configuration of a trusted certificate that will be presented to the user if the server to which the user is connecting possesses a certificate signed by a CA trusted by the firewall. Create a certificate on the

Device

Certificate Management

Certificates

page and then click the name of the certificate and select

Forward Trust Certificate

Certain applications will not function if they are decrypted by the firewall. To prevent this from occurring, PAN-OS® will not decrypt the SSL traffic for these applications and the decryption rule settings will not apply.

Refer to the List of Applications Excluded from SSL Decryption.

The following tables describe the decryption policy settings:

Decryption General Tab

Decryption Source Tab

Decryption Destination Tab

Decryption Service/URL Category Tab

Decryption Options Tab

Looking for more?

See Decryption