The firewall provides a predefined SSL Decryption Exclusion list to exclude from decryption commonly used sites that break decryption because of technical reasons such as pinned certificates and mutual authentication. The predefined decryption exclusions are enabled by default and Palo Alto Networks delivers new and updated predefined decryption exclusions to the firewall as part of the Applications and Threats content update (or the Applications content update, if you do not have a Threat Prevention license). The firewall does not decrypt traffic that matches predefined exclusions and allows the encrypted traffic based on the Security policy that governs that traffic. However, the firewall can’t inspect the encrypted traffic or enforce Security policy on it.

Because the traffic of sites on the SSL Decryption Exclusion list remains encrypted, the firewall does not inspect or provide further security enforcement the traffic. You can disable a predefined exclusion. For example, you may choose to disable predefined exclusions to enforce a strict security policy that allows only applications and services that the firewall can inspect and on which the firewall can enforce Security policy. However, the firewall blocks sites whose applications and services break decryption technically if they are not enabled on the SSL Decryption Exclusion list.

You can view and manage all Palo Alto Networks predefined SSL decryption exclusions directly on the firewall (DeviceCertificate ManagementSSL Decryption Exclusions).

The Hostname displays the name of the host that houses the application or service that breaks decryption technically. You can also Add hosts to Exclude a Server from Decryption for Technical Reasons if it is not on the predfined list.

The Description displays the reason the firewall can’t decrypt the site’s traffic, for example, pinned-cert (a pinned certificate) or client-cert-auth (client authentication).

The firewall automatically removes enabled predefined SSL decryption exclusions from the list when they become obsolete (the firewall removes an application that decryption previously caused to break when the application becomes supported with decryption). Show Obsoletes checks if any disabled predefined exclusions remain on the list and are no longer needed. The firewall does not remove disabled predefined decryption exclusions from the list automatically, but you can select and Delete obsolete entries.

You can select a hostname’s checkbox and then click Disable to remove predefined sites from the list. Use the SSL Decryption Exclusion list only for sites that break decryption for technical reasons, don’t use it for sites that you choose not to decrypt.