Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear text traffic to security chains (sets of inline, third-party appliances) for additional enforcement. This allows you to consolidate security functions on the firewall, optimize network performance, and reduce the number of devices in your security infrastructure.

Browsers like Google Chrome and Mozilla Firefox require server certificates to use a Subject Alternative Name (SAN), instead of a Common Name (CN), to specify the domains the certificate protects. In order to continue to decrypt SSL sessions where a server certificate contains only a CN, the firewall can now add a SAN to the impersonation certificate it uses to establish itself as a trusted third-party to the SSL session. The firewall populates the SAN in the impersonation certificate based on the server certificate CN.

When you use a firewall as a hardware security module (HSM) client to manage your digital keys, that firewall HSM client now supports SafeNet client versions 5.4.2 and 6.2.2 and nCipher nShield version 12.30 to provide compatibility with HSM server versions.

Additionally, SafeNet HSM server high availability is enhanced from supporting an HA pair of HSMs to supporting an HA cluster of up to 16 HSMs.

The HSM client upgrades and SafeNet HSM high availability clusters are supported on Panorama and all firewall models except for PA-800 Series, PA-500, PA-220, and PA-200 firewalls.

You can now securely store your elliptic curve private keys on a third-party network HSM when you use Elliptic Curve Digital Signature Algorithm (ECDSA) certificates for SSL decryption. The firewall can get the ECDSA key from the HSM to decrypt traffic between a client and server. HSM support for ECDSA certificates applies to SSL decryption in both forward proxy and inbound inspection modes.

HSM integration now supports Diffie-Hellman Exchange (DHE) and Elliptic Curve DHE (ECDHE) ciphers for SSL decryption when your keys are stored on a network HSM.