You can add applications that break decryption for technical
reasons and aren’t already on the SSL Decryption Exclusion list
such as internal custom applications to the list to automatically
bypass decryption.
If decryption breaks an important application
or service technically (decrypting the traffic blocks it), you can
add the hostname of the site that hosts to the application or service
to the Palo Alto Networks predefined SSL Decryption Exclusion list
to create a custom decryption exception. The firewall doesn’t decrypt,
inspect, and enforce Security policy on traffic that the SSL Decryption
Exclusion list allows because the traffic remains encrypted, so
be sure that the sites you add to the list really are sites with
applications or services you need for business. For example, some
business-critical internal custom applications may break decryption
and you can add them to the list so that the firewall allows the
encrypted custom application traffic.
The SSL Decryption
Exclusion list is
not for sites that you choose not to decrypt
for legal, regulatory, business, privacy, or other volitional reasons,
it is only for sites that break decryption technically. For traffic
(IP addresses, users, URL categories, services, and even entire
zones) that you choose not to decrypt,
Create
a Policy-Based Decryption Exclusion.
Reasons
that sites break decryption technically include pinned certificates,
mutual authentication, incomplete certificate chains, and unsupported
ciphers. For HTTP public key pinning (HPKP), most browsers that
use HPKP permit Forward Proxy decryption as long as you install the
enterprise CA certificate (or the certificate chain) on the client.
If
the technical reason for excluding a site from decryption is an
incomplete certificate chain, the next-generation firewall doesn’t
automatically fix the chain as a browser would. If you need to add
a site to the SSL Decryption Exclusion list, manually review the
site to ensure it’s a legitimate business site, then download the
missing sub-CA certificates and
load and deploy them onto the firewall.
After
you add a server to the SSL Decryption Exclusion list, the firewall
compares the server hostname that you use to define the decryption
exclusion against both the Server Name Indication (SNI) in the client
hello message and the Common Name (CN) in the server certificate. If
either the SNI or CN match the entry in the SSL Decryption Exclusion
list, the firewall excludes the traffic from decryption.