Learn about the exciting new decryption features in PAN-OS 8.1.
|New Decryption Feature||Description|
Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear text traffic to security chains (sets of inline, third-party appliances) for additional enforcement. This allows you to consolidate security functions on the firewall, optimize network performance, and reduce the number of devices in your security infrastructure.
|Automatic SAN Support for SSL Decryption|
Browsers like Google Chrome and Mozilla Firefox require server certificates to use a Subject Alternative Name (SAN), instead of a Common Name (CN), to specify the domains the certificate protects. In order to continue to decrypt SSL sessions where a server certificate contains only a CN, the firewall can now add a SAN to the impersonation certificate it uses to establish itself as a trusted third-party to the SSL session. The firewall populates the SAN in the impersonation certificate based on the server certificate CN.
|HSM Client Upgrade and SafeNet HSM Cluster Support|
When you use a firewall as a hardware security module (HSM) client to manage your digital keys, that firewall HSM client now supports SafeNet client versions 5.4.2 and 6.2.2 and Thales nShield version 12.30 to provide compatibility with HSM server versions.
Additionally, SafeNet HSM server high availability is enhanced from supporting an HA pair of HSMs to supporting an HA cluster of up to 16 HSMs.
The HSM client upgrades and SafeNet HSM high availability clusters are supported on Panorama and all firewall models except for PA-800 Series, PA-500, PA-220, and PA-200 firewalls.
|ECDSA Certificate Support for SSL Decryption with HSMs|
You can now securely store your elliptic curve private keys on a third-party network HSM when you use Elliptic Curve Digital Signature Algorithm (ECDSA) certificates for SSL decryption. The firewall can get the ECDSA key from the HSM to decrypt traffic between a client and server. HSM support for ECDSA certificates applies to SSL decryption in both forward proxy and inbound inspection modes.
|ECDHE/DHE Cipher Support on HSMs|
HSM integration now supports Diffie-Hellman Exchange (DHE) and Elliptic Curve DHE (ECDHE) ciphers for SSL decryption when your keys are stored on a network HSM.
|Decryption Port Mirroring Support Extension|
Decryption port mirroring is now supported on all hardware-based and VM-Series firewalls. This feature enables the firewall to create a copy of decrypted traffic and send it to a traffic collection tool for archiving and analysis.
This feature is not supported on VMware NSX, Citrix SDX, or public cloud hypervisors (AWS, Azure, and Google Cloud Platform).
Decryption Features Decryption Broker Automatic SAN Support for SSL Decryption HSM Client Upgrade and SafeNet HSM Cluster Support ECDSA Certificate Support for SSL Decryption with ...
ECDSA Certificate Support for SSL Decryption with HSMs
Firewalls support ECDSA certificates for SSL forward proxy and inbound inspection decryption in environments that use HSMs to store ECDSA certificates and keys. ...
Learn about outbound and inbound SSL decryption, SSH Proxy decryption, Decryption Mirroring, and the keys and certificates that make decryption possible. ...
SSL Decryption for Elliptical Curve Cryptography (ECC) Cert...
SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates The firewall automatically decrypts SSL traffic from websites and applications using ECC certificates, including Elliptical Curve Digital ...
Store Private Keys on an HSM
Store Private Keys on an HSM For added security, you can use an HSM to secure the private keys used in SSL/TLS decryption for: SSL ...
SSL Decryption and Subject Alternative Names (SANs)
SSL Decryption and Subject Alternative Names (SANs) Some browsers require server certificates to use a Subject Alternative Name (SAN) to specify the domains the certificate ...
Settings to Control Decrypted SSL Traffic
Settings to Control Decrypted SSL Traffic The following table describes the settings you can use to control SSL traffic that has been decrypted using either ...
Automatic SAN Support for SSL Decryption
Automatic SAN Support for SSL Decryption Some browsers require server certificates to use a Subject Alternative Name (SAN) to specify the domains the certificate protects, ...
SSL Forward Proxy Decryption Profile
The SSL Forward Proxy Decryption profile blocks risky outbound sessions, verifies certificates, and provides session failure checks. ...