If you use the DHE or ECDHE key exchange
algorithms to enable perfect forward secrecy (PFS) support for SSL
decryption, you can use an HSM to store the private keys for SSL
Inbound Inspection. You can also use an HSM to store ECDSA keys
used for SSL Forward Proxy or SSL Inbound Inspection decryption
unless you are using TLSv1.3. For TLSv1.3 traffic, PAN-OS supports
HSMs only for SSL Forward Proxy. It does not support HSMs for SSL
Inbound Inspection.