Limitations and Recommendations While Implementing SSL Decryption

Details

SSL Decryption will not work or take effect under the following scenarios:

Limitations

1. Forward proxy decryption does not work with mutual authentication
   1. The server expects user certificate to be presented during handshake, and the Palo Alto Networks firewall does not have access to the user's private key and certificate
2. The content cannot be decrypted when unsupported protocols or ciphers are used

1. TLS 1.2 cannot be decrypted before PAN-OS 6.0 and TLS 1.3 cannot be decrypted before PAN-OS 10.0.
2. Before PAN-OS 6.0 the TLS 1.2 sessions were downgraded to TLS 1.1
3. The following cipher suites are not supported for decryption:
   AES128-GCM-SHA256
   Note: AES128-GCM-SHA256 is supported in PAN-OS 7.1 and above.
4. Firewalls do not decrypt sessions where Diffie-Hellman key exchange is used for Forward Proxy Decryption in PAN-OS 7.1 and earlier releases

Recommendations

1. If there is an enterprise CA in place, use it, since it is trusted
2. Enable SSL Decryption for a small group of users or a single subnet
3. Always use URL categories to decrypt selective content, such as social-networking.
4. In some countries, certain connections cannot be decrypted due to the law, so use URL categories to exclude sensitive categories.

The following document contains the list of applications that are excluded from SSL Decryption: List of Applications Excluded from SSL Decryption