This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

possibility of secure MQTT's decryption at Palo alto firewall

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

possibility of secure MQTT's decryption at Palo alto firewall

NetSecFirewall
L0 Member

‎10-25-2025 01:12 PM

how can we decrypt MQTT's port 8883 traffic at palo alto firewall, or is it possible.

0 Likes Likes
1 REPLY 1

kiwi
Community Team Member

‎10-31-2025 10:08 AM

Hi @NetSecFirewall ,

 

The answer is nuanced because you don't provide a lot of info.

As far as I know MQTT can be decrypted normally on PANW in its default setup.  Secure communication is enabled by using Transport Layer Security (TLS), which can then be enhanced with certificate pinning (or fingerprint validation) for additional security against man-in-the-middle attacks (in which case decryption will not be possible). 

 

Some websites are misconfigured and will not send complete certificate chains (up to root) which is according to RFC standard. The firewall has only root certificates in its "Default Trusted Certificate Authorities" store. In case an intermediate certificate is missing from the certificate list presented by the server, the firewall will not be able to construct the chain to the root and will present the "Forward Untrust Certificate" to the client when decryption is enabled https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry... 

 

As per the DOC above there are some steps you can perform to resolve that problem.

1.Filter the Decryption log to identify Decryption sessions that failed because of an incomplete certificate chain.

2.Copy and paste the URI into your browser and then press Enter to download the missing intermediate certificate.

3.Import the certificate into the firewall.

4.Select Trusted Root CA to mark the certificate as a Trusted Root CA on the firewall.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes
  • 452 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks