How do firewalls select cipher suites for SSL Forward Proxy decryption?

• Any Palo Alto Networks Firewall
• Any PAN-OS Version
• SSL Forward Proxy configured

1. A client sends an SSL Client Hello which lists the ciphers it supports.
2. The firewall intercepts this Hello and prepares a new one.
3. The firewall compares the list of client supported ciphers with those configured in the Decryption Profile under SSL Decryption > SSL Protocol Settings.
   1. Scenario 1: There are matches. The Firewall sends the new Client Hello with the ciphers that exist in both the Decryption Profile and the original Client Hello.
   2. Scenario 2: There are no matches. The Firewall writes an error message to the decryption log and performs an action depending on the configuration in the Decryption Profile under SSL Decryption > SSL Forward Proxy > Unsupported Mode Checks > Block sessions with unsupported cipher suites.
      1. Box checked: Block the session.
      2. Box unchecked: Allow the session without decryption.

• In summary, the firewall performs a logical AND on the ciphers in the Decryption Profile and the original Client Hello, and only includes those that return True in the proxied Client Hello.
• The firewall will not offer cipher suites in the proxied Client Hello that did not exist in the original Client Hello.
• It is therefore not possible to use the firewall to "upgrade" the security of a legacy client connection that only offers weak ciphers.

How to Implement and Test SSL Decryption
Configure SSL Forward Proxy
Decryption Best Practices