Focus

Configure Server Certificate Verification for Undecrypted Traffic

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure SSH Proxy

Decryption Exclusions

Configure Server Certificate Verification for Undecrypted Traffic

Even though the traffic is encrypted, you can protect your network against sessions with expired certificates and untrusted issuers for traffic you choose not to decrypt for legal, business, or privacy reasons.

You create no-decryption policies for traffic that you choose not to decrypt because the traffic is personal, sensitive, or subject to local laws and regulations. For example, you may choose not to decrypt the traffic of certain executives or traffic between finance users and finance servers that contain personal information. (Don’t exclude traffic that you can’t decrypt because a site breaks decryption for technical reasons such as a pinned certificate or mutual authentication by policy. Instead, add the hostname to the Decryption Exclusion List.)

However, just because you don’t decrypt the traffic doesn’t mean you should let any and all undecrypted traffic on your network. It is a best practice to apply a No Decryption profile to undecrypted traffic to block sessions with expired certificates and untrusted issuers.

Create a Decryption Policy Rule to identify the undecrypted traffic and Create a Decryption Profile to block bad sessions.
1. Select PoliciesDecryption and Add or modify an existing rule to identify the undecrypted traffic.
2. Select Options and:
  - Set the rule Action to No Decrypt so that the firewall doesn’t decrypt traffic that matches the rule.
  - Ignore the rule Type because the traffic is not decrypted.
  - (Optional but a best practice) Configure or select an existing Decryption profile for undecrypted traffic to block sessions with expired certificates and untrusted certificate issuers.
    
    Do not attach a No Decryption profile to Decryption policies for TLSv1.3 traffic that you don’t decrypt because the firewall can’t read the encrypted certificate information so it can’t perform certificate checks. However, you should still create a Decryption policy for TLSv1.3 traffic that you don’t decrypt because undecrypted traffic isn’t logged unless a Decryption policy controls that traffic.
Commit the configuration.
Choose your next step:
- Enable Users to Opt Out of SSL Decryption.
- Configure Decryption Exclusions to disable decryption for certain types of traffic.

Configure SSH Proxy

Decryption Exclusions

Next-Generation Firewall Docs

Configure Server Certificate Verification for Undecrypted Traffic

Next-Generation Firewall Docs

Configure Server Certificate Verification for Undecrypted Traffic

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner