* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Firewall](https://www.paloaltonetworks.com.au/blog/category/firewall/)
* PAN-OS 8.1: SSL Decryptio...

# PAN-OS 8.1: SSL Decryption Broker for Federal Government

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2018%2F03%2Fgov-pan-os-8-1-ssl-decryption-broker-federal-government%2F)  
[](https://twitter.com/share?text=PAN-OS+8.1%3A+SSL+Decryption+Broker+for+Federal+Government&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2018%2F03%2Fgov-pan-os-8-1-ssl-decryption-broker-federal-government%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2018%2F03%2Fgov-pan-os-8-1-ssl-decryption-broker-federal-government%2F&title=PAN-OS+8.1%3A+SSL+Decryption+Broker+for+Federal+Government&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2018/03/gov-pan-os-8-1-ssl-decryption-broker-federal-government/&ts=markdown)  
\[\](mailto:?subject=PAN-OS 8.1: SSL Decryption Broker for Federal Government)  
Link copied  
By [Tighe Schlottog](https://www.paloaltonetworks.com/blog/author/tighe-schlottog/?ts=markdown "Posts by Tighe Schlottog")  
Mar 02, 2018  
4 minutes  
[Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)  
[Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown)  
[Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Decryption Broker](https://www.paloaltonetworks.com/blog/tag/decryption-broker/?ts=markdown)  
[Firewall](https://www.paloaltonetworks.com/blog/tag/firewall/?ts=markdown)  
[network security](https://www.paloaltonetworks.com/blog/tag/network-security/?ts=markdown)  
[next-generation firewall](https://www.paloaltonetworks.com/blog/tag/next-generation-firewall/?ts=markdown)  
[PAN-OS 8.1](https://www.paloaltonetworks.com/blog/tag/pan-os-8-1/?ts=markdown)  
[security chains](https://www.paloaltonetworks.com/blog/tag/security-chains/?ts=markdown)  
[SSL Decryption](https://www.paloaltonetworks.com/blog/tag/ssl-decryption/?ts=markdown)

To achieve operational security, federal agencies have had to expand their capabilities over the years. These expansions have moved from network enforcement points, such as firewalls and IPS, to the examination and control of applications and the data moving through those applications with DLP systems.

In the early days, the internet SSL was something of an anomaly with only a few sites utilizing transport encryption. But the explosion of cloud-based services (IaaS, PaaS, SaaS), such as Office 365 and Gmail as well as e-commerce and online banking, has driven the utilization of SSL from what was once maybe a 10 percent slice of the internet to well over 50 percent and, in some cases, upwards of 70 percent. In order for these security chains to continue to secure their organizations, they have had to adopt SSL decryption within their chains. This has led to costly, highly complex, and difficult to manage environments.

![Decryption\_1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/03/Decryption_1.png)

*Fig 1. Traditional Security Chains between Load Balancers*

The utilization of SSL services on the internet continued to increase, and these security chains could no longer handle the amount of traffic they were required to inspect. In order to scale to meet the inspection and enforcement needs, two options for SSL decryption were introduced within the security chains:

1. Each device in the chain decrypts and inspects the traffic as it moves through the chain. This introduces an extreme amount of latency as each security device in the chain must now decrypt, inspect, and encrypt the traffic before sending it along to the next device.
2. Specialized SSL decryption and load balancing appliances were installed to shoulder the burden of decryption and balance traffic across multiple chains. As these devices and more chains were added to accommodate needs, the costs related to installation, operation, and maintenance continued to rise.

SSL-encrypted traffic continues to grow exponentially, and agencies need the ability to handle the decryption of traffic for these security chains in a simplified and easy-to-manage manner. [Palo Alto Networks Decryption Broker](https://www.paloaltonetworks.com/products/new/new-panos8-1), which we announced as part of the PAN-OS 8.1 launch, is able to handle this traffic at scale, with minimal performance impact, allowing for the full benefits of the Palo Alto Networks Next-Generation Security Platform to examine for known and unknown threats before handing sessions off to the third-party devices within the security chain. Here's how it works:

![Decryption\_2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/03/Decryption_2.png)

*Fig 2: Palo Alto Networks Decryption Broker*

1. Ingress traffic is examined against the initial security policy. If it passes, it is sent to be decrypted.
2. Decrypted traffic is examined for onboard content and threats, based on the attribution of user and application identification in addition to the verdicts rendered out of the content and threat engines.
3. Once traffic passes onboard checks, the decryption broker then forwards traffic into the security chain to inspect the now decrypted traffic and render verdicts, scrub data, etc.
4. The traffic is returned to the firewall through the second decryption broker interface.
5. Egress traffic is encrypted and forwarded to the destination.

With the closed loop forwarding of these security chains, control of the decrypted data is isolated from the standard network based on the agency's segmentation policy. These chains can be constructed in either a Layer 3 (IP-forwarded) or Layer 2 (MAC-forwarded) deployment ensuring the isolation hop to hop before the traffic is returned to the firewall for encryption and forwarding.

Our SSL Decryption Broker can greatly simplify the network and security architecture by integrating the core functions of URL Filtering, Threat Inspection, and WildFire into the Decryption Broker. This allows the elimination of security appliance sprawl and consolidation of technologies into the Palo Alto Networks platform. The simplification of this environment has many additional benefits, such as the simplification of troubleshooting issues that will arise in the security chain. Lastly, the management of the environment is greatly simplified, allowing for a standardization of security and decryption policy and further allowing it to be deployed at scale.

For more information about the configuration of SSL Decryption Broker, please review the forthcoming PAN-OS 8.1 Admin Guide and learn [what's new in PAN-OS 8.1](https://www.paloaltonetworks.com/products/new/new-panos8-1).

*** ** * ** ***

## Related Blogs

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Technical Documentation](https://www.paloaltonetworks.com/blog/category/technical-documentation/?ts=markdown)

[#### Tech Docs: New Firewalls and Appliances with PAN-OS 8.1!](https://www.paloaltonetworks.com.au/blog/2018/03/tech-docs-new-firewalls-and-appliances-with-pan-os-8-1/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown)

[#### PAN-OS 8.1: The Future of ICS SCADA With Secure Clouds](https://www.paloaltonetworks.com.au/blog/2018/03/pan-os-8-1-future-ics-scada-secure-clouds/)

### [Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### PAN-OS 8.1: New Features for the Financial Sector](https://www.paloaltonetworks.com.au/blog/2018/03/pan-os-8-1-new-features-financial-sector/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Announcing PAN-OS 8.1: Streamline SSL Decryption, Accelerate Adoption of Security Best Practices](https://www.paloaltonetworks.com.au/blog/2018/02/announcing-pan-os-8-1-streamline-ssl-decryption-accelerate-adoption-security-best-practices/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)

[#### Now Available: WildFire Cloud Location in Australia](https://www.paloaltonetworks.com.au/blog/network-security/now-available-wildfire-cloud-location-in-australia/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Best Practices for Enabling SSL Decryption](https://www.paloaltonetworks.com.au/blog/2018/11/best-practices-enabling-ssl-decryption/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language