SSL Decryption

Many customers need to configure Palo Alto firewalls with a SSL Forward Proxy decryption policy to decrypt and inspect SSL/TLS traffic from internal users to the web.


The How To document on SSL in the Knowledgebase (DOC-1412) is accurate but dated, there’s also an index of relevant pages.


Within the manuals, the primary document for setting this up on PANOS 6, including self-signed CA certificate generation, is here:


There is limited SSH and SSHv2 decryption.  The firewall is able to distinguish whether the SSH traffic is being routed normally or if it is using SSH tunneling (port forwarding). Content and threat inspections are not performed on SSH tunnels; however, if SSH tunnels are identified by the firewall, the SSH tunneled traffic can be blocked and restricted according to configured security policies.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.