Decryption Features

Learn about the exciting new decryption features in PAN-OS 8.1.
New Decryption FeatureDescription
Decryption Broker
Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear text traffic to security chains (sets of inline, third-party appliances) for additional enforcement. This allows you to consolidate security functions on the firewall, optimize network performance, and reduce the number of devices in your security infrastructure.
Automatic SAN Support for SSL Decryption
Browsers like Google Chrome and Mozilla Firefox require server certificates to use a Subject Alternative Name (SAN), instead of a Common Name (CN), to specify the domains the certificate protects. In order to continue to decrypt SSL sessions where a server certificate contains only a CN, the firewall can now add a SAN to the impersonation certificate it uses to establish itself as a trusted third-party to the SSL session. The firewall populates the SAN in the impersonation certificate based on the server certificate CN.
HSM Client Upgrade and SafeNet HSM Cluster Support
When you use a firewall as a hardware security module (HSM) client to manage your digital keys, that firewall HSM client now supports SafeNet client versions 5.4.2 and 6.2.2 and Thales nShield version 12.30 to provide compatibility with HSM server versions.
Additionally, SafeNet HSM server high availability is enhanced from supporting an HA pair of HSMs to supporting an HA cluster of up to 16 HSMs.
The HSM client upgrades and SafeNet HSM high availability clusters are supported on Panorama and all firewall models except for PA-800 Series, PA-500, PA-220, and PA-200 firewalls.
ECDSA Certificate Support for SSL Decryption with HSMs
You can now securely store your elliptic curve private keys on a third-party network HSM when you use Elliptic Curve Digital Signature Algorithm (ECDSA) certificates for SSL decryption. The firewall can get the ECDSA key from the HSM to decrypt traffic between a client and server. HSM support for ECDSA certificates applies to SSL decryption in both forward proxy and inbound inspection modes.
ECDHE/DHE Cipher Support on HSMs
HSM integration now supports Diffie-Hellman Exchange (DHE) and Elliptic Curve DHE (ECDHE) ciphers for SSL decryption when your keys are stored on a network HSM.
Decryption Port Mirroring Support Extension
Decryption port mirroring is now supported on all hardware-based and VM-Series firewalls. This feature enables the firewall to create a copy of decrypted traffic and send it to a traffic collection tool for archiving and analysis.
This feature is not supported on VMware NSX, Citrix SDX, or public cloud hypervisors (AWS, Azure, and Google Cloud Platform).

Related Documentation