Exclude a Server from Decryption for Technical Reasons
Focus
Focus

Exclude a Server from Decryption for Technical Reasons

Table of Contents

Exclude a Server from Decryption for Technical Reasons

You can add applications that break decryption for technical reasons and aren’t already on the SSL Decryption Exclusion list such as internal custom applications to the list to automatically bypass decryption.
If decryption breaks an important application or service technically (decrypting the traffic blocks it), you can add the hostname of the site that hosts to the application or service to the Palo Alto Networks predefined SSL Decryption Exclusion list to create a custom decryption exception. The firewall doesn’t decrypt, inspect, and enforce Security policy on traffic that the SSL Decryption Exclusion list allows because the traffic remains encrypted, so be sure that the sites you add to the list really are sites with applications or services you need for business. For example, some business-critical internal custom applications may break decryption and you can add them to the list so that the firewall allows the encrypted custom application traffic.
The SSL Decryption Exclusion list is not for sites that you choose not to decrypt for legal, regulatory, business, privacy, or other volitional reasons, it is only for sites that break decryption technically. For traffic (IP addresses, users, URL categories, services, and even entire zones) that you choose not to decrypt, Create a Policy-Based Decryption Exclusion.
Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers. For HTTP public key pinning (HPKP), most browsers that use HPKP permit Forward Proxy decryption as long as you install the enterprise CA certificate (or the certificate chain) on the client.
If the technical reason for excluding a site from decryption is an incomplete certificate chain, the next-generation firewall doesn’t automatically fix the chain as a browser would. If you need to add a site to the SSL Decryption Exclusion list, manually review the site to ensure it’s a legitimate business site, then download the missing sub-CA certificates and load and deploy them onto the firewall.
After you add a server to the SSL Decryption Exclusion list, the firewall compares the server hostname that you use to define the decryption exclusion against both the Server Name Indication (SNI) in the client hello message and the Common Name (CN) in the server certificate. If either the SNI or CN match the entry in the SSL Decryption Exclusion list, the firewall excludes the traffic from decryption.
  1. Select DeviceCertificate ManagementSSL Decryption Exclusions.
  2. Add a new decryption exclusion, or select an existing custom entry to modify it.
  3. Enter the hostname of the website or application you want to exclude from decryption.
    The hostname is case-sensitive.
    You can use wildcards to exclude multiple hostnames associated with a domain. The firewall excludes all sessions where the server presents a CN that matches the domain from decryption.
    Make sure that the hostname field is unique for each custom entry. If a predefined exclusion matches a custom entry, the custom entry takes precedence.
  4. (Optional) Select Shared to share the exclusion across all virtual systems in a multiple virtual system firewall.
  5. Exclude the application from decryption. Alternatively, if you are modifying an existing decryption exclusion, you can clear this checkbox to start decrypting an entry that was previously excluded from decryption.
  6. Click OK to save the new exclusion entry.