Palo Alto Networks Predefined Decryption Exclusions
Focus
Focus
Network Security

Palo Alto Networks Predefined Decryption Exclusions

Table of Contents

Palo Alto Networks Predefined Decryption Exclusions

The NGFW automatically bypasses decryption for sites that are known to break decryption for technical reasons such as a pinned certificate (the traffic is still subject to Security policy rules).
Where Can I Use This?What Do I Need?
No separate license required for decryption when using NGFWs or Prisma Access.
Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
Palo Alto Networks provides a predefined list of commonly accessed sites that break decryption or do not work optimally due to technical reasons, such as pinned certificates and mutual authentication. Websites on the SSL decryption exclusion list are nondecryptable and excluded from decryption by default. The Next-Generation Firewall (NGFW) evaluates traffic against Security policy rules to determine if the encrypted traffic is allowed. It can't inspect or provide further security enforcement of the traffic because the traffic remains encrypted. Palo Alto Networks refreshes the predefined decryption exclusions list as part of its Applications and Threats content updates (or the Applications content update, if you don’t have a Threat Prevention license).
You can disable a predefined exclusion. For example, you may want to enforce a strict Security policy rule that allows only applications and services that the NGFW can decrypt and on which it can enforce Security policy rules. The NGFW blocks sites whose applications and services break decryption technically if they are not enabled on a predefined or custom exclusion list. Add an entry to the custom decryption exclusion list if it isn't on the predefined list.
The SSL decryption exclusion list is not for sites that you choose not to decrypt for legal, regulatory, business, privacy, or other volitional reasons. For traffic, such as IP addresses, users, URL categories, services, and even entire zones that you choose not to decrypt, create a no-decryption policy rule.
To view and manage Palo Alto Networks predefined SSL decryption exclusions directly:
  • (PAN-OS and Panorama) Select DeviceCertificate ManagementSSL Decryption Exclusions.
  • (Strata Cloud Manager) Select Manage Configuration NGFW and Prisma Access Security Services Decryption. Then, under Global Decryption Exclusions, by Non-Decryptable Sites (Predefined), click the range of predefined exclusions to open the list.
The Hostname displays the name of the host that houses the application or service that breaks decryption technically.
The Description (PAN-OS and Panorama) or Reason for Decryption Reason displays the reason the site’s traffic is non-decryptable. For example, if pinned certificate is the reason, you'd see pinned-cert on an NGFW or Panorama and Pinned Certificate on Strata Cloud Manager.
The NGFW, Panorama, or Strata Cloud Manager automatically removes enabled predefined SSL decryption exclusions from the list when they become obsolete (the application becomes supported with decryption). On an NGFW and Panorama, Show Obsoletes checks if any disabled predefined exclusions remain on the list and are no longer needed. The NGFW does not remove disabled entries automatically, but you can select and Delete obsolete entries.
To disable predefined sites in the decryption exclusion list:
  • (PAN-OS and Panorama)
    1. Select DeviceCertificate ManagementSSL Decryption Exclusions.
    2. Select the check box of the Hostname you want to remove, and then click Disable.
    3. Commit the configuration.
  • (Strata Cloud Manager)
    1. Select Manage Configuration NGFW and Prisma Access Security Services Decryption.
    2. Under Global Decryption Exclusions, by Non-Decryptable Sites (Predefined), click the range of predefined exclusions to open the list.
    3. Select the check box of the Hostname you want to disable, and then click Disable.
    4. Push Config