Name: #paloaltofirewalltraining | Day 30 | How to configure SSL-Decryption | Detailed Explanation
Uploaded: 2025-03-09 19:30:05
Duration: 26 min 21 s

Question 1

How do I configure SSL decryption in Palo Alto firewall (forward proxy)?

Accepted Answer

In my lab I do it in three parts: generate a forward trust certificate, create an SSL/TLS service profile, and then create a Decryption policy from inside to outside. Along with that, you must have the security policy to allow traffic and NAT configured, otherwise you won’t see proper browsing. After commit, I verify from the browser certificate and from Monitor logs using the “decrypted” flag.

Question 2

What is a Forward Trust certificate in Palo Alto SSL decryption?

Accepted Answer

Forward Trust is the certificate the Palo Alto uses when traffic is going from my internal user to the internet (forward traffic). The firewall intercepts the SSL handshake, generates a new certificate on the fly, and presents it to the client with Palo Alto as issuer. That’s why the client must trust this root CA, otherwise you will get the privacy/certificate warning.

Question 3

Why am I getting 'Your connection is not private' after enabling SSL decryption?

Accepted Answer

This happens because your PC/browser does not trust the Palo Alto generated root CA certificate. In my demo, Google opens with a privacy error until I install the exported certificate in Trusted Root Certificate Authorities. Once the certificate is installed, the browser stops throwing the warning and SSL decryption works smoothly.

Question 4

How can I verify SSL decryption is working in Palo Alto?

Accepted Answer

I verify it in two ways: first, on the client side I check the website certificate and confirm it is issued by my Palo Alto (issuer changes to the firewall). Second, in the firewall I go to Monitor logs and enable the “decrypted” column, and for HTTPS (443) you will see ‘yes’. DNS and non-HTTPS traffic will not show as decrypted.

Question 5

What settings should I choose in an SSL/TLS service profile for decryption?

Accepted Answer

The profile controls what the firewall should do when the server certificate is expired/untrusted, when cipher/mode is unsupported, or when decryption fails because the device is busy. In the video I explain it like: do you want to block, or allow without decryption (fail-open). You should decide based on your security requirement and real production behavior.

Question 6

How do I deploy the Palo Alto decryption certificate to all users in an organization?

Accepted Answer

In real world, I don’t manually install on every PC like lab. I export the root CA certificate and share it with the server/team, and they push it using Group Policy to all organization endpoints. Then every device trusts that CA and users won’t get browser certificate errors.

Question 7

What is SSL decryption exclusion list in Palo Alto and can I disable it?

Accepted Answer

Palo Alto has an SSL Decryption Exclusion list (in my firewall it shows many default websites) because as per cyber rules you should not decrypt certain private data/apps. If your requirement/country policy says you must decrypt, you can disable the exclusion entry and commit. After that, those sites/apps can also be decrypted, but you must understand the compliance impact.

#paloaltofirewalltraining | Day 30 | How to configure SSL-Decryption | Detailed Explanation

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech