Decryption Features
Table of Contents
8.1
Expand all | Collapse all
-
-
- App-ID Changes in PAN-OS 8.1
- Authentication Changes in PAN-OS 8.1
- Content Inspection Changes in PAN-OS 8.1
- GlobalProtect Changes in PAN-OS 8.1
- User-ID Changes in PAN-OS 8.1
- Panorama Changes in PAN-OS 8.1
- Networking Changes in PAN-OS 8.1
- Virtualization Changes in PAN-OS 8.1
- Appliance Changes in PAN-OS 8.1
- Associated Software and Content Versions
- Limitations
-
- PAN-OS 8.1.25 Addressed Issues
- PAN-OS 8.1.24-h2 Addressed Issues
- PAN-OS 8.1.24-h1 Addressed Issues
- PAN-OS 8.1.24 Addressed Issues
- PAN-OS 8.1.23-h1 Addressed Issues
- PAN-OS 8.1.23 Addressed Issues
- PAN-OS 8.1.22 Addressed Issues
- PAN-OS 8.1.21-h1 Addressed Issues
- PAN-OS 8.1.21 Addressed Issues
- PAN-OS 8.1.20-h1 Addressed Issues
- PAN-OS 8.1.20 Addressed Issues
- PAN-OS 8.1.19 Addressed Issues
- PAN-OS 8.1.18 Addressed Issues
- PAN-OS 8.1.17 Addressed Issues
- PAN-OS 8.1.16 Addressed Issues
- PAN-OS 8.1.15-h3 Addressed Issues
- PAN-OS 8.1.15 Addressed Issues
- PAN-OS 8.1.14-h2 Addressed Issues
- PAN-OS 8.1.14 Addressed Issues
- PAN-OS 8.1.13 Addressed Issues
- PAN-OS 8.1.12 Addressed Issues
- PAN-OS 8.1.11 Addressed Issues
- PAN-OS 8.1.10 Addressed Issues
- PAN-OS 8.1.9-h4 Addressed Issues
- PAN-OS 8.1.9 Addressed Issues
- PAN-OS 8.1.8-h5 Addressed Issues
- PAN-OS 8.1.8 Addressed Issues
- PAN-OS 8.1.7 Addressed Issues
- PAN-OS 8.1.6-h2 Addressed Issues
- PAN-OS 8.1.6 Addressed Issues
- PAN-OS 8.1.5 Addressed Issues
- PAN-OS 8.1.4-h2 Addressed Issues
- PAN-OS 8.1.4 Addressed Issues
- PAN-OS 8.1.3 Addressed Issues
- PAN-OS 8.1.2 Addressed Issues
- PAN-OS 8.1.1 Addressed Issues
- PAN-OS 8.1.0 Addressed Issues
Decryption Features
Learn about the exciting new decryption features in PAN-OS
8.1.
New Decryption Feature | Description |
---|---|
Decryption Broker | Offload SSL decryption to the Palo Alto
Networks firewall and decrypt traffic only once. A firewall enabled
as a decryption broker forwards
clear text traffic to security chains (sets of inline, third-party
appliances) for additional enforcement. This allows you to consolidate
security functions on the firewall, optimize network performance,
and reduce the number of devices in your security infrastructure. |
Automatic SAN Support for SSL Decryption | Browsers like Google Chrome and Mozilla
Firefox require server certificates to use a Subject Alternative
Name (SAN), instead of a Common Name (CN), to specify the domains
the certificate protects. In order to continue to decrypt SSL sessions
where a server certificate contains only a CN, the firewall can
now add a SAN to the impersonation certificate it uses to establish
itself as a trusted third-party to the SSL session. The firewall populates the SAN in
the impersonation certificate based on the server certificate
CN. |
HSM Client Upgrade and SafeNet HSM Cluster Support | When you use a firewall as a hardware security module (HSM)
client to manage your digital keys, that firewall HSM client now
supports SafeNet client versions 5.4.2 and 6.2.2 and nCipher nShield
version 12.30 to provide compatibility with HSM server versions. Additionally,
SafeNet HSM server high availability is enhanced from supporting
an HA pair of HSMs to supporting an HA cluster of up to 16 HSMs. The
HSM client upgrades and SafeNet HSM high availability clusters are
supported on Panorama and all firewall models except for PA-800
Series, PA-500, PA-220, and PA-200 firewalls. |
ECDSA Certificate Support for SSL Decryption with
HSMs | You can now securely store your elliptic
curve private keys on a third-party network HSM when you use Elliptic
Curve Digital Signature Algorithm (ECDSA) certificates for SSL
decryption. The firewall can get the ECDSA key from the HSM
to decrypt traffic between a client and server. HSM support for
ECDSA certificates applies to SSL decryption in both forward proxy
and inbound inspection modes. |
ECDHE/DHE Cipher Support on HSMs | HSM integration now supports Diffie-Hellman
Exchange (DHE) and Elliptic Curve DHE (ECDHE) ciphers for SSL decryption
when your keys are stored on a network HSM. |
Decryption Port Mirroring Support Extension | Decryption port mirroring is
now supported on all hardware-based and VM-Series firewalls. This
feature enables the firewall to create a copy of decrypted traffic
and send it to a traffic collection tool for archiving and analysis. This
feature is not supported on VMware NSX, Citrix SDX, or public cloud
hypervisors (AWS, Azure, and Google Cloud Platform). |