Exclude a Server from Decryption for Technical Reasons
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Exclude a Server from Decryption for Technical Reasons
You can add applications that break decryption for technical
reasons and aren’t already on the SSL Decryption Exclusion list
such as internal custom applications to the list to automatically
bypass decryption.
If decryption breaks an important application
or service technically (decrypting the traffic blocks it), you can
add the hostname of the site that hosts to the application or service
to the Palo Alto Networks predefined SSL Decryption Exclusion list
to create a custom decryption exception. The firewall doesn’t decrypt,
inspect, and enforce Security policy on traffic that the SSL Decryption
Exclusion list allows because the traffic remains encrypted, so
be sure that the sites you add to the list really are sites with
applications or services you need for business. For example, some
business-critical internal custom applications may break decryption
and you can add them to the list so that the firewall allows the
encrypted custom application traffic.
The SSL Decryption
Exclusion list is not for sites that you choose not to decrypt
for legal, regulatory, business, privacy, or other volitional reasons,
it is only for sites that break decryption technically. For traffic
(IP addresses, users, URL categories, services, and even entire
zones) that you choose not to decrypt, Create
a Policy-Based Decryption Exclusion.
Reasons
that sites break decryption technically include pinned certificates,
client authentication, incomplete certificate chains, and unsupported
ciphers. For HTTP public key pinning (HPKP), most browsers that
use HPKP permit Forward Proxy decryption as long as you install
the enterprise CA certificate (or the certificate chain) on the
client.
If the technical reason for excluding a site
from decryption is an incomplete certificate chain, the next-generation
firewall doesn’t automatically fix the chain as a browser would.
If you need to add a site to the SSL Decryption Exclusion list,
manually review the site to ensure it’s a legitimate business site,
then download the missing sub-CA certificates and load and deploy them onto the firewall.
After
you add a server to the SSL Decryption Exclusion list, the firewall
compares the server hostname that you use to define the decryption
exclusion against both the Server Name Indication (SNI) in the client
hello message and the Common Name (CN) in the server certificate. If
either the SNI or CN match the entry in the SSL Decryption Exclusion
list, the firewall excludes the traffic from decryption.
- Select DeviceCertificate ManagementSSL Decryption Exclusions.Add a new decryption exclusion, or select an existing custom entry to modify it.Enter the hostname of the website or application you want to exclude from decryption.The hostname is case-sensitive.You can use wildcards to exclude multiple hostnames associated with a domain. The firewall excludes all sessions where the server presents a CN that matches the domain from decryption.Make sure that the hostname field is unique for each custom entry. If a predefined exclusion matches a custom entry, the custom entry takes precedence.(Optional) Select Shared to share the exclusion across all virtual systems in a multiple virtual system firewall.Exclude the application from decryption. Alternatively, if you are modifying an existing decryption exclusion, you can clear this checkbox to start decrypting an entry that was previously excluded from decryption.Click OK to save the new exclusion entry.