Quiz Entry - updated: 2026.07.14
What are the key settings of the Decryption rule that enables SSL Forward Proxy on the firewall?
A Decryption policy with Source = Any, Destination = Outside, Action = Decrypt, and Type = ssl-forward-proxy.
Enabling TLS inspection is not just "flip a switch" — it needs two things wired together:
- A re-encryption certificate. First you generate a self-signed root certificate, then edit it and tick the checkboxes that declare it usable for forward-proxy re-encryption. Without the "forwarding"/Forward-Trust flags set, the firewall can't sign the substitute certificates it hands to clients.
- A Decryption policy rule (Policies → Decryption) telling the firewall which traffic to break open:
| Field | Value | Why |
|---|---|---|
| Source | Any (zone/address/user) | Decrypt traffic from anyone inside |
| Destination | Outside | Only decrypt traffic leaving toward the internet |
| Action | Decrypt | (vs. No-Decrypt for exclusions) |
| Type | ssl-forward-proxy | The "controlled MITM" mode for outbound client traffic |
As always on Palo Alto, the change only takes effect after a Commit.
Why Destination = Outside, not Any? You typically decrypt outbound client sessions (forward proxy). Inbound-to-server decryption is a different mode (SSL Inbound Inspection) where you hold the server's real key.
Tip: ssl-forward-proxy = decrypt traffic from your users to the internet. Remember it as "forward = following the user outward."
Go deeper:
TLS termination proxy (Wikipedia) — the decrypt-inspect-re-encrypt forward-proxy pattern these fields configure.