LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the key settings of the Decryption rule that enables SSL Forward Proxy on the firewall?

A Decryption policy with Source = Any, Destination = Outside, Action = Decrypt, and Type = ssl-forward-proxy.

Enabling TLS inspection is not just "flip a switch" — it needs two things wired together:

  1. A re-encryption certificate. First you generate a self-signed root certificate, then edit it and tick the checkboxes that declare it usable for forward-proxy re-encryption. Without the "forwarding"/Forward-Trust flags set, the firewall can't sign the substitute certificates it hands to clients.
  2. A Decryption policy rule (Policies → Decryption) telling the firewall which traffic to break open:
Field Value Why
Source Any (zone/address/user) Decrypt traffic from anyone inside
Destination Outside Only decrypt traffic leaving toward the internet
Action Decrypt (vs. No-Decrypt for exclusions)
Type ssl-forward-proxy The "controlled MITM" mode for outbound client traffic

As always on Palo Alto, the change only takes effect after a Commit.

Why Destination = Outside, not Any? You typically decrypt outbound client sessions (forward proxy). Inbound-to-server decryption is a different mode (SSL Inbound Inspection) where you hold the server's real key.

Tip: ssl-forward-proxy = decrypt traffic from your users to the internet. Remember it as "forward = following the user outward."

Go deeper:

From Quiz: INTROL / Firewall Advanced Lab (Lab 6) | Updated: Jul 14, 2026