TechLeague

    Palo Alto

    Palo Alto SSL Decryption deep dive: forward proxy and inbound

    TechLeague Editorialยทยท7 min read

    Without decryption your NGFW is mostly blind. Done right, decryption is invisible to users and gives full L7 visibility.

    Forward proxy

    • Generate a subordinate CA from internal PKI.
    • Push CA to all endpoints (MDM, GPO).
    • Decryption profile blocks weak ciphers.

    Inbound

    • Use the server's real cert and private key.
    • Best for published web apps; not for SNI-based hosting.

    Exclusions

    • Banking, healthcare, government per local law.
    • Use Palo Alto's predefined SSL Decryption Exclusion Cache.

    TLS 1.3

    • Encrypted SNI and ECH break legacy bypass.
    • Update PAN-OS to current train; review profiles.

    Performance

    • Decryption ~30โ€“50% throughput cost.
    • Size appliances or distribute load via Panorama.

    Train decryption troubleshooting in a TechLeague tournament.