Network Security
Decryption Exclusions
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Decryption Exclusions
Some applications can’t be decrypted for technical reasons and others for business,
compliance, or regulatory reasons. Make decryption exceptions only when
necessary.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
Not all traffic can or should be decrypted. For example, the QUIC (Quick UDP Internet
Connections) protocol uses a proprietary encryption over UDP, which cannot be decrypted.
However, you can block the protocol, forcing browsers to use the SSL/TLS protocol, which
enables the traffic to be inspected. Some traffic is automatically excluded from decryption for
not optimally working with decryption. These websites are added to the Local SSL
Decryption Exclusion Cache. Palo Alto Networks also maintains a predefined SSL decryption exclusion list that
excludes commonly used websites that break decryption. Sites on in the predefined
exclusion list and local cache remain encrypted; no policy rules are enforced on
them.
You can also exclude traffic from decryption by adding a website to a custom SSL
decryption exclusion list or creating a decryption policy rule that excludes the website
from decryption based on URL categories, source, or other conditions. With a decryption
exclusion, all traffic originating from or destined to the targeted server remains
encrypted. In general, two types of traffic can be excluded from decryption:
- Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). There are two constructs for sites that break decryption for technical reasons and therefore need to be excluded from decryption: the predefined SSL decryption exclusion list and the Local SSL Decryption Exclusion Cache. If a website whose applications and services break decryption technically are not in the predefined SSL decryption exclusion list or the local SSL decryption cache, the NGFW blocks them unless you add them to a custom SSL decryption exclusion list.
- The predefined SSL decryption exclusion list consists of the servers (with applications and servers) that Palo Alto Networks has identified that break decryption technically and permanent decryption exclusions that you manually add. If you encounter sites that break decryption technically and are not on the predefined decryption exclusion list, add the server hostname to the list. Content updates keep the list up to date.
- The Local SSL Decryption Exclusion Cache contains servers and websites that the NGFW automatically excludes from decryption for 12 hours because they break decryption for technical reasons, provided that the decryption profile applied to the traffic allows unsupported modes. If unsupported modes are blocked, then the traffic is blocked instead of added to the local cache.
- Traffic that you choose not to decrypt because of business, regulatory, personal, or other reasons, such as financial-services, health-and-medicine, or government traffic. Create a policy-based decryption exclusion to exclude this traffic based on source, destination, URL category, or service.
To increase visibility into traffic and reduce the
attack surface as much as possible, don’t make decryption exceptions unless you
must.
Whether adding an entry to a custom SSL decryption exclusion list, a custom URL category,
or external dynamic list, or other object to use in a policy-based exception, use
asterisks (*) as wildcards to create an entry that corresponds to multiple hostnames
associated with a domain. Asterisks behave the same way that carets (^) behave for URL category exceptions—each asterisk controls
one variable subdomain (label) in the hostname. This enables you to create both very
specific and very general exclusions.
Example Decryption Exclusion Entries:
- mail.*.com matches mail.company.com but does not match mail.company.sso.com
- *.company.com matches tools.company.com but does not match eng.tools.company.com
- *.*.company.com matches eng.tools.company.com but does not match eng.company.com
- *.*.*.company.com matches corp.exec.mail.company.com but does not match corp.mail.company.com
- mail.google.* matches mail.google.com but does not match mail.google.uk.com
- mail.google.*.* matches mail.google.co.uk but does not match mail.google.com
To exclude video-stats.video.google.com from decryption but not video.google.com, add
*.*.google.com to the SSL decryption exclusion list.