: TLSv1.3 Support for HSM Integration with SSL Inbound Inspection
Focus
Focus

TLSv1.3 Support for HSM Integration with SSL Inbound Inspection

Table of Contents

TLSv1.3 Support for HSM Integration with SSL Inbound Inspection

Learn about support for inbound inspection of TLSv1.3 sessions when private keys are stored on an HSM.
PAN-OS now supports the decryption of TLSv1.3 sessions in SSL Inbound Inspection mode when the private keys of internal servers are stored on Hardware Security Modules (HSMs). The superior performance and security of TLSv1.3 combined with the protection of HSMs hardens inbound decryption. This feature is only compatible with the Thales Luna Network and Entrust nShield Connect HSMs. To activate this support, use the set ssl inbound-inspection tls1.3-with-hsm enable yes CLI command. This feature is disabled by default. You must set up connectivity between a supported HSM and Palo Alto Networks appliances and apply a Decryption profile that specifies TLSv1.3 as the minimum or maximum supported TLS version to an SSL Inbound Inspection rule first.