Network Security
Exclude Traffic from Decryption for Business, Legal, or Regulatory Reasons (PAN-OS)
Table of Contents
Exclude Traffic from Decryption for Business, Legal, or Regulatory Reasons (PAN-OS)
The following procedure shows how to exclude financial or health-related traffic from
SSL Forward Proxy decryption.
- Exclude traffic from decryption based on match criteria.
- Select and Add or modify a decryption policy rule.
- Define the traffic that you want to exclude from decryption.
- Enter a descriptive Name, such as No-Decrypt-Finance-Health.
- For Source and Destination, select Any.
- Select the Service/URL Category tab, and Add the financial-services and health-and-medicine categories.
- Select the Options tab, and for Action, select No Decrypt.
- (Best Practice) For Decryption Profile, select a no-decryption profile that validates certificates for sessions you don't want to decrypt.Exception: Don’t attach a no-decryption profile to decryption policy rules for TLSv1.3 traffic that you don’t decrypt because NGFWs can’t read the encrypted certificate information so it can’t perform certificate checks. However, you should still create a decryption policy rule for TLSv1.3 traffic that you don’t decrypt because undecrypted traffic isn’t logged unless a decryption policy rule controls that traffic.If you haven't already, configure the decryption profile to Block sessions with expired certificates and Block sessions with untrusted issuers.
- Click OK.
- Place your decryption policy rule at the top of the decryption rulebase.The NGFW enforces decryption rules against incoming traffic in the rulebase sequence and enforces the first rule that the traffic matches.Select the No-Decrypt-Finance-Health policy rule (), and click Move Up until it appears at the top of the list, or drag and drop the rule.
- Save the configuration.Click Commit.
