Decryption Exclusions
Some applications can’t be decrypted for technical reasons and others for business,
compliance, or regulatory reasons. Make decryption exceptions only when
necessary.
You can exclude two types of traffic from decryption:
Traffic that breaks decryption for technical reasons, such as using a
pinned certificate, an incomplete certificate chain, unsupported ciphers, or
mutual authentication (attempting to decrypt the traffic results in blocking the
traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list () that automatically excludes hosts with applications and services
that are known to break decryption technically. If you encounter sites that
break decryption technically and are not on the SSL Decryption Exclusion list,
you can add them to list manually by server hostname. The firewall blocks sites
whose applications and services break decryption technically if they are not
added to the SSL Decryption Exclusion list.
If a Decryption profile allows
Unsupported Modes (sessions with client
authentication, unsupported versions, or unsupported cipher suites), the
firewall automatically adds servers and applications that use the allowed
unsupported modes to its Local SSL Decryption Exclusion Cache (). When you block unsupported modes, you increase security but
also block communication with applications that use those modes.
Traffic that you choose not to decrypt because of business, regulatory,
personal, or other reasons, such as financial-services, health-and-medicine, or
government traffic. You can choose to exclude traffic based on source,
destination, URL category, and service.
You can use asterisks (*) as wildcards to create decryption exclusions for multiple
hostnames associated with a domain. Asterisks behave the same way that carets (^) behave
for
URL category exceptions—each asterisk controls
one variable subdomain (label) in the hostname. This enables you to create both very
specific and very general exclusions. For example:
mail.*.com matches mail.company.com but does not match
mail.company.sso.com
*.company.com matches tools.company.com but does not match
eng.tools.company.com
*.*.company.com matches eng.tools.company.com but does not match
eng.company.com
*.*.*.company.com matches corp.exec.mail.company.com but does not match
corp.mail.company.com
mail.google.* matches mail.google.com but does not match
mail.google.uk.com
mail.google.*.* matches mail.google.co.uk but does not match mail.google.com
To exclude video-stats.video.google.com from decryption but not video.google.com, add
*.*.google.com to the SSL Decryption Exclusion list.
To increase visibility into traffic and reduce the attack surface as much as possible,
don’t make decryption exceptions unless you must.