Decryption Exclusions
Some applications can’t be decrypted for technical reasons
and others for business, compliance, or regulatory reasons. Make
decryption exceptions only when necessary.
You can exclude two types of traffic from decryption:
Traffic that breaks decryption for technical reasons,
such as using a pinned certificate, an incomplete certificate chain,
unsupported ciphers, or mutual authentication (attempting to decrypt
the traffic results in blocking the traffic). Palo Alto Networks
provides a predefined SSL Decryption Exclusion list () that
excludes hosts with applications and services that are known to break
decryption technically from SSL Decryption by default. If you encounter
sites that break decryption technically and are not on the SSL Decryption
Exclusion list, you can add them to list manually by server hostname.
The firewall blocks sites whose applications and services break
decryption technically unless you add them to the SSL Decryption
Exclusion list.
If the Decryption profile allows Unsupported
Modes (sessions with client authentication, unsupported
versions, or unsupported cipher suites), the firewall automatically
adds servers and applications that use the allowed unsupported modes
to the its Local SSL Decryption Exclusion Cache (). When you block unsupported modes,
you increase security but you also block communication with applications
that use those modes.
Traffic that you choose not to decrypt because of
business, regulatory, personal, or other reasons, such as financial-services,
health-and-medicine, or government traffic. You can choose to exclude
traffic based on source, destination, URL category, and service.
You can use asterisks (*) as wildcards to create decryption exclusions
for multiple hostnames associated with a domain. Asterisks behave
the same way that carets (^) behave for URL category exceptions—each
asterisk controls one variable subdomain (label) in the hostname.
This enables you to create both very specific and very general exclusions.
For example:
mail.*.com matches mail.company.com but does not match mail.company.sso.com.
*.company.com matches tools.company.com but does not match eng.tools.company.com.
*.*.company.com matches eng.tools.company.com but does not
match eng.company.com.
*.*.*.company.com matches corp.exec.mail.company.com, but
does not match corp.mail.company.com.
mail.google.* matches mail.google.com, but does not match
mail.google.uk.com.
mail.google.*.* matches mail.google.co.uk, but does not match mail.google.com.
For example, to use wildcards to exclude video-stats.video.google.com
from decryption but not to exclude video.google.com from decryption,
exclude *.*.google.com.
Regardless of the number of asterisk wildcards that precede
a hostname (without a non-wildcard label preceding the hostname),
the hostname matches the entry. For example, *.google.com, *.*.google.com,
and *.*.*.google.com all match google.com. However, *.dev.*.google.com
does not match google.com because one label (dev) is not a wildcard.
To increase visibility into traffic and reduce the attack surface
as much as possible, don’t make decryption exceptions unless you
must.