If the Decryption profile you apply to decrypted traffic specifies
the protocol’s
Max Version
as
Max
,
then the profile supports TLSv1.3 and automatically uses TLSv1.3
with sites that support TLSv1.3. (You could set the
Max
Version
to
TLSv1.3
to support
TLSv1.3, but when the next version of TLS is released, you will
need to update the profile. Setting the
Max Version
to
Max
future-proofs
the profile to automatically support new TLS versions as they are
released.) When you upgrade to PAN-OS 10.0, all Decryption profiles
with the
Max Version
set to
Max
are
reset to
TLSv1.2
to provide automatic support
for mobile applications that use pinned certificates and prevent
that traffic from dropping.