For added security, you can use an HSM to
secure the private keys used in SSL/TLS decryption for:
SSL
Forward Proxy—The HSM can store the private key of the Forward
Trust certificate that signs certificates in SSL/TLS forward proxy
operations. The firewall will then send the certificates that it
generates during such operations to the HSM for signing before forwarding
the certificates to the client.
SSL
Inbound Inspection—The HSM can store the private keys for
the internal servers for which you are performing SSL/TLS inbound
inspection.
If you use the DHE or ECDHE key exchange
algorithms to enable perfect forward secrecy (PFS) support for SSL
decryption, you can use an HSM to store the private keys for SSL
Inbound Inspection. You can also use an HSM to store ECDSA keys
used for SSL Forward Proxy or SSL Inbound Inspection decryption
unless you are using TLSv1.3. For TLSv1.3 traffic, PAN-OS supports
HSMs only for SSL Forward Proxy. It does not support HSMs for SSL
Inbound Inspection.