SSL Inbound Inspection decrypts and inspects incoming traffic for threats before it reaches your internal servers. Organizations often rely on hardware security modules (HSMs) to protect the private keys used for this decryption, especially in highly regulated industries. Previously, if the keys required for SSL Inbound Inspection were stored on an HSM, the Next-Generation Firewall (NGFW) automatically downgraded TLSv1.3 connections to TLSv1.2. Consequently, those connections lost the security and performance benefits unique to TLSv1.3.

PAN-OS® 11.2 resolves this issue by extending TLSv1.3 support for SSL Inbound Inspection to sessions that use private keys protected by an HSM. Now, you can decrypt and inspect traffic to your internal servers over the latest TLS version. This combination ensures the highest protection for your cryptographic keys at rest and your data in motion. Connectivity between Thales Luna Network or Entrust nShield HSMs and a virtual or physical NGFW is required.