Allow users to choose whether to continue to a site for which traffic is decrypted or opt
out and allow the firewall to terminate the session, preserving the user’s privacy but
preventing the connection to the site.
In privacy-sensitive situations, you may want to alert your users that the firewall decrypts
certain web traffic and enable them to either continue to a website with the
understanding that their traffic will be decrypted or to terminate the session and
be blocked from accessing the site. (There is no option to go to the site and
also avoid decryption.)
The first time a user attempts to browse to an HTTPS site or application that matches the
decryption policy, the firewall displays a response page notifying users that it
will decrypt the session. Users can either click Yes to allow
decryption and continue to the site or click No to opt out of
decryption and terminate the session. The choice to allow decryption applies to all
HTTPS sites that users try to access for the next 24 hours, after which the firewall
redisplays the response page. Users who opt out of SSL decryption can't access the
requested web page, or any other HTTPS site, for the next minute. After the minute
elapses, the firewall redisplays the response page the next time the users attempt
to access an HTTPS site.
The firewall includes a predefined SSL Decryption Opt-out Page that you can enable. You can
optionally customize the page with your own text or images. However, the best
practice is to not allow users to opt out of decryption.
Custom response pages larger than the maximum supported size are not decrypted or displayed to
users. In PAN-OS 8.1.2 and earlier PAN-OS 8.1 releases, custom response pages on
a decrypted site can't exceed 8,191 bytes; the maximum size increases to 17,999
bytes in PAN-OS 8.1.3 and later releases.