Learn about the exciting new decryption features in PAN-OS 8.1.
New Decryption Feature
Offload SSL decryption to the Palo Alto
Networks firewall and decrypt traffic only once. A firewall enabled
as a decryption broker forwards clear text
traffic to security chains (sets of inline, third-party appliances)
for additional enforcement. This allows you to consolidate security
functions on the firewall, optimize network performance, and reduce
the number of devices in your security infrastructure.
Automatic SAN Support for SSL Decryption
Browsers like Google Chrome and Mozilla
Firefox require server certificates to use a Subject Alternative
Name (SAN), instead of a Common Name (CN), to specify the domains
the certificate protects. In order to continue to decrypt SSL sessions
where a server certificate contains only a CN, the firewall can
now add a SAN to the impersonation certificate it uses to establish
itself as a trusted third-party to the SSL session. The firewall populates the SAN in the impersonation
certificate based on the server certificate CN.
HSM Client Upgrade and SafeNet HSM Cluster Support
When you use a firewall as a hardware security module (HSM) client
to manage your digital keys, that firewall HSM client now supports
SafeNet client versions 5.4.2 and 6.2.2 and nCipher nShield version
12.30 to provide compatibility with HSM server versions.
SafeNet HSM server high availability is enhanced from supporting
an HA pair of HSMs to supporting an HA cluster of up to 16 HSMs.
HSM client upgrades and SafeNet HSM high availability clusters are
supported on Panorama and all firewall models except for PA-800
Series, PA-500, PA-220, and PA-200 firewalls.
ECDSA Certificate Support for SSL Decryption with
You can now securely store your elliptic
curve private keys on a third-party network HSM when you use Elliptic
Curve Digital Signature Algorithm (ECDSA) certificates for SSL decryption.
The firewall can get the ECDSA key from the HSM to decrypt traffic
between a client and server. HSM support for ECDSA certificates
applies to SSL decryption in both forward proxy and inbound inspection
ECDHE/DHE Cipher Support on HSMs
HSM integration now supports Diffie-Hellman
Exchange (DHE) and Elliptic Curve DHE (ECDHE) ciphers for SSL decryption
when your keys are stored on a network HSM.
Decryption Port Mirroring Support Extension
Decryption port mirroring is now supported
on all hardware-based and VM-Series firewalls. This feature enables
the firewall to create a copy of decrypted traffic and send it to
a traffic collection tool for archiving and analysis.
feature is not supported on VMware NSX, Citrix SDX, or public cloud
hypervisors (AWS, Azure, and Google Cloud Platform).