>
    Strata Copilot
    Enable Comprehensive Cryptographic Visibility
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Enable Comprehensive Cryptographic Visibility
    Download PDF
    Network Security

    Enable Comprehensive Cryptographic Visibility

    Table of Contents

    Enable Comprehensive Cryptographic Visibility

    Use this procedure to enable the Quantum-Safe Security app to build a cryptographic inventory, identify vulnerable assets, track PQC readiness, and share migration recommendations.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Strata Cloud Manager
    The Quantum-Safe Security app provides visibility into your cryptographic posture and offers remediation guidance to support the transition to post-quantum cryptography (PQC). The app continuously ingests data from Next-Generation Firewalls (NGFW), Prisma Access, and integrated third-party solutions to discover network assets and assess their cryptographic risk and capability to support PQC. The app maintains a live inventory of these assets and their cryptographic materials, including the algorithms, keys, and certificates used in SSL/TLS sessions, SSH sessions, and VPN tunnels. A dashboard provides a high-level overview of cryptographic risk and quantum readiness.
    Risk Classification
    The app classifies your assets into one of three Cryptography Risk categories based on cryptography observed in sessions, tunnels, and certificates.
    • Data Exposure Risk—Identifies sessions using algorithms or protocols deprecated by the National Institute of Standards and Technology (NIST).
    • Harvest Now, Decrypt Later Risk—Identifies the use of classical cryptography, which is currently secure but vulnerable to a cryptographically relevant quantum computer (CRQC). Attackers could steal data encrypted by these algorithms today to decrypt in the future. For more information on this threat, see The Quantum Computing Threat and Harvest Now, Decrypt Later (HNDL): The Quantum-Era Threat.
    • Quantum Secure—Identifies the use of PQC for asymmetric use cases (key exchange and certificate signing) alongside strong classical algorithms for symmetric use cases (encryption and authentication). Data is protected from classical and quantum threats by algorithms compliant with PQC standards.
    Quantum Readiness
    In the app, quantum readiness refers to the capability of an asset to support PQC. An asset is Quantum Ready when its underlying hardware or software supports quantum-resistant algorithms, even if they are not in use. An asset is Quantum Safe if it uses PQC or hybrid PQC that complies with NIST or other PQC standards.
    The app determines if an asset is quantum-ready or quantum-safe based on hardware and software attributes. It provides recommendations for modernizing assets that are Not Ready and migrating Ready assets to PQC. You can assess overall posture from the Overview dashboard. For individual asset status, check the Readiness column in the Inventory.
    Application Views
    You can monitor and manage your cryptographic posture across two interactive views. In both views, you can adjust the time range to show data from the Past 24 Hours, Past 7 Days, or Past 30 Days.
    • Overview—A dashboard summarizing the cryptographic health of your network. It displays the number of detected assets by type, the volume of data captured across these assets segmented by cryptographic risk, and the number of quantum-ready and quantum-safe assets. You can filter this information by All Assets, Applications, User Devices, Infrastructure, or IoT Devices. Selecting a Quantum Ready or Quantum Safe recommendation category directs you to those recommendations in the Inventory. The impact summary displays weekly metrics to help you monitor trends, such as the number of quantum-ready browsers.
    • Inventory—A real-time cryptographic bill of materials (CBOM) that catalogs network assets and cryptographic usage. Assets are organized by type: Applications, User Devices, Infrastructure, or IoT Devices. The inventory tracks asset dependencies, cryptographic risk, and quantum readiness. You can filter assets by subtypes (for example, SaaS or Internet applications), readiness, cipher translation, and risk. Available filters update based on the active asset tab. The Recommendations panel displays recommendations targeted to specific asset types, risks, and readiness. To drill down into an individual asset, select the asset.
    The following procedure outlines the steps required to get started with the Quantum-Safe Security app. It assumes you are configuring policy rules on Strata Cloud Manager rather than on individual NGFWs. Completing these steps enables the app to collect the metadata required for asset discovery and evaluation.
    1. Activate a Quantum-Safe Security license.
      This process includes onboarding NGFWs and Prisma Access tenants to the Strata Logging Service.
    2. Log in to Strata Cloud Manager.
    3. Enable logging of all TLS handshakes for decrypted and non-decrypted traffic.
      This enables your NGFWs and Prisma Access tenants to capture session metadata, including algorithms, protocols, and certificates.
      1. For all decryption policy rules where the action is set to Decrypt, enable both Log Successful TLS Handshakes and Log Unsuccessful TLS Handshakes.
      2. Configure a Do Not Decrypt decryption policy rule that logs all TLS handshakes.
        Applying this rule across all NGFWs and Prisma Access tenants increases memory consumption due to log volume and processing. To begin, apply this rule to perimeter firewalls and Prisma Access tenants.
        1. Use the following settings:
          • Ensure Source settings are set to their respective Any values.
          • Ensure Destination settings are set to their respective Any values.
          • For Action, select Do Not Decrypt.
          • For Logging, select Log Successful TLS Handshakes and Log Unsuccessful TLS Handshakes.
        2. In the Decryption Policies list, Move this rule to the last position in the Post-Rulebase.
          This ensures it acts as a catch-all for traffic that does not match more specific decryption policy rules.
        3. Commit your changes.
          Select Push ConfigPush.
    4. (Recommended) Set up Device Security.
      Device Security enables existing firewalls to identify end-user and IoT devices without deploying any agents. It also enriches metadata with device attributes such as operating system.
      Make sure to:
      • Allocate Device Security subscriptions to the same Strata Cloud Manager tenant as the Quantum-Safe Security license
      • Associate Device Security subscriptions with the same Strata Logging Service instance used in step 1
      • Associate the Device Security licenses with the same NGFWs and Prisma Access instances you onboarded to the Strata Logging Service instance
      1. Activate Device Security.
      2. Onboard Device Security.
    5. Launch the Quantum-Safe Security app, and verify that assets are populating.
      Select InsightsQuantum-Safe Security, and explore the Overview and Inventory views.
      Filter assets by multiple criteria to identify assets to prioritize for remediation or migration. For example, to identify web applications ready for migration, apply both the Type (select Internet) and Quantum Readiness (select Ready) filters.
      1. Click Add Filter.
      2. Select a filter, such as Quantum Readiness.
      3. Select one or more sub-filters, such as Ready or Not Ready.
      4. (Optional) Add more filters.

    © 2026 Palo Alto Networks, Inc. All rights reserved.