The firewall automatically bypasses decryption for sites
that are known to break decryption for technical reasons such as
a pinned certificate (the traffic is still subject to Security policy).
The firewall provides a predefined SSL Decryption Exclusion
list to exclude from decryption commonly used sites that break decryption because
of technical reasons such as pinned certificates and mutual authentication.
The predefined decryption exclusions are enabled by default and Palo
Alto Networks delivers new and updated predefined decryption exclusions
to the firewall as part of the Applications and Threats content
update (or the Applications content update, if you do not have a
Threat Prevention license). The firewall does not decrypt traffic
that matches predefined exclusions and allows the encrypted traffic
based on the Security policy that governs that traffic. However,
the firewall can’t inspect the encrypted traffic or enforce Security
policy on it.
The SSL Decryption Exclusion list is not for sites
that you choose not to decrypt for legal, regulatory, business,
privacy, or other volitional reasons, it is only for sites that
break decryption technically (decrypting these sites blocks their
traffic). For traffic such as IP addresses, users, URL categories,
services, and even entire zones that you choose not to decrypt, Create
a Policy-Based Decryption Exclusion.
Because the traffic of sites on the SSL Decryption Exclusion
list remains encrypted, the firewall does not inspect or provide
further security enforcement the traffic. You can disable a predefined
exclusion. For example, you may choose to disable predefined exclusions
to enforce a strict security policy that allows only applications
and services that the firewall can inspect and on which the firewall
can enforce Security policy. However, the firewall blocks sites
whose applications and services break decryption technically if
they are not enabled on the SSL Decryption Exclusion list.
You can view and manage all Palo Alto Networks predefined SSL
decryption exclusions directly on the firewall (DeviceCertificate ManagementSSL Decryption Exclusions).
The Hostname displays the name of the
host that houses the application or service that breaks decryption
technically. You can also Add hosts to Exclude
a Server from Decryption for Technical Reasons if it is not
on the predfined list.
The Description displays the reason the
firewall can’t decrypt the site’s traffic, for example, pinned-cert (a
pinned certificate) or client-cert-auth (client
authentication).
The firewall automatically removes enabled predefined SSL decryption
exclusions from the list when they become obsolete (the firewall
removes an application that decryption previously caused to break
when the application becomes supported with decryption). Show
Obsoletes checks if any disabled predefined exclusions
remain on the list and are no longer needed. The firewall does not
remove disabled predefined decryption exclusions from the list automatically,
but you can select and Delete obsolete entries.
You can select a hostname’s checkbox and then click Disable to
remove predefined sites from the list. Use the SSL Decryption Exclusion
list only for sites that break decryption for technical reasons,
don’t use it for sites that you choose not to decrypt.