You can configure the firewall to decrypt traffic for
visibility, control, and granular security. Decryption policies
can apply to Secure Sockets Layer (SSL) including SSL encapsulated
protocols such as IMAP(S), POP3(S), SMTP(S), and FTP(S), and Secure
Shell (SSH) traffic. SSH decryption can be used to decrypt outbound
and inbound SSH traffic to assure that secure protocols are not
being used to tunnel disallowed applications and content.
Add a decryption policy rule to
define traffic that you want to decrypt (for example, you can decrypt
traffic based on URL categorization). Decryption policy rules are
compared against the traffic in sequence, so more specific rules
must precede the more general ones.
SSL forward proxy decryption requires the configuration of a
trusted certificate that will be presented to the user if the server
to which the user is connecting possesses a certificate signed by
a CA trusted by the firewall. Create a certificate on the
page and then
click the name of the certificate and select
Certain applications will not function if they are decrypted
by the firewall. To prevent this from occurring, PAN-OS® will not
decrypt the SSL traffic for these applications and the decryption
rule settings will not apply.