Palo Alto Networks: How to config Decryption

1.Mục đích bài viết

In this article techbast will guide you how to configure Decryption feature on Palo Alto firewall device.

2. Diagram


  • Palo Alto firewall will be connected to the internet via ethernet1 / 1 port with a static IP of
  • Palo Alto device connects to LAN via ethernet1/2 port with a static IP of
  • On ethernet 1/2 port the DHCP was configured to allocate to the devices.
  • PC 1 connected to ethernet1/2 port and got an allocation IP of
  • On the Palo Alto firewall device is configured with the policy, nat so that PC 1 can access the internet.

3. Scenario

We will configure Decryption so that the Palo Alto device can decrypt all the traffic that PC 1 accesses to the internet.

4. Các bước thực hiện

  • Create certificate
  • Create Decryption policy
  • Add Certificate to the PC 1
  • Result.

5. Configuration

5.1 Create Certificate

To configure Decryption go to Device > Certificates Management > Certificates.

Click Generate to create new certificate with the following information :

  • Certificate Name: trusted-ca
  • Common Name: (LAN IP Address)
  • Certificate Authority: check Certificate Authority.

Click Generate to create.

Click Generate to create new other certificate with the following information:

  • Common Name: untrusted-ca
  • Common Name: untrusted
  • Certificate Authority: check Certificate Authority.

Click Generate to create.

Click trusted-ca name to edit as follows:

  • Check the box for Forward Trust Certificate.

Click OK.

Similar to clicking on the untrusted-ca name to edit the following:

  • Check Forward Untrust Certificate.

Click OK.

Next check the trusted-ca certificate and click Export Certificate to download the certificate to the computer.

5.2. Create Decryption Policy

Next we will create a Decryption Policy, go to Policies> Decryption> Click Add and configure with the following parameters:

  • Name : Test_Decryption
  • Source: Trust-Player3
  • Destination: Untrust
  • Service/URL Category : Any
  • Options : Select Decrypt in Action and select SSL Forward Proxy in Type

5.3. Add Certificate to PC 1

In the Windows search box, type mmc and press the Enter key to open the Microsoft Management Console.

Select Console Root > Click File > Click Add/Remove Snap-in…

The Add or Remove Snap-ins panel appears, check Certificate and click Add.

The Certificates snap-in panel appears, select Computer account> Next> select Local computer> click Finish> Click OK.

Go to Certificates (Local Computer)> right click on Trusted Root Certification Authorities> Certificates> select All Task <Import.

The Certificate Import Wizard window appears, click Next> under File name, click Browse and navigate to where you saved the certificate at export.

Click Next> Finish to complete the import.

5.4. Result

We’re going to go to PC 1 and do the internet access.

Then we will go back to the log on the Palo Alto device to check if the traffic has been decrypted.

To see the log we go to Monitor> Traffic.

We will look at the Decrypted column and will see that the traffic using the https port 443 protocol has been decrypted.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.