Decryption Exclusions
Some applications can’t be decrypted for technical reasons and others for business,
compliance, or regulatory reasons. Make decryption exceptions only when
necessary.
Where Can I Use
This? | What Do I Need? |
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
Not all traffic can or should be decrypted. For example, the QUIC (Quick UDP Internet
Connections) protocol uses a proprietary encryption over UDP, which cannot be decrypted.
However, you can block the protocol, forcing browsers to use the SSL/TLS protocol, which
enables the traffic to be inspected. Some traffic is automatically excluded from decryption for
not optimally working with decryption. These websites are added to the Local SSL
Decryption Exclusion Cache. Palo Alto Networks also maintains a
predefined SSL decryption exclusion list that
excludes commonly used websites that break decryption. Sites on in the predefined
exclusion list and local cache remain encrypted; no policy rules are enforced on
them.
You can also exclude traffic from decryption by adding a website to a custom SSL
decryption exclusion list or creating a decryption policy rule that excludes the website
from decryption based on URL categories, source, or other conditions. With a decryption
exclusion, all traffic originating from or destined to the targeted server remains
encrypted. In general, two types of traffic can be excluded from decryption:
Traffic that breaks decryption for technical reasons, such as using a pinned
certificate, an incomplete certificate chain, unsupported ciphers, or mutual
authentication (attempting to decrypt the traffic results in blocking the
traffic). There are two constructs for sites that break decryption for technical
reasons and therefore need to be excluded from decryption: the
predefined SSL decryption
exclusion list and the
Local SSL Decryption Exclusion Cache. If a website whose applications and services
break decryption technically are not in the predefined SSL decryption exclusion
list or the local SSL decryption cache, the
NGFW blocks them
unless you add them to a
custom SSL decryption exclusion list.
- The predefined SSL decryption
exclusion list consists of the servers (with applications and
servers) that Palo Alto Networks has identified that break decryption
technically and permanent decryption exclusions that you manually add. If
you encounter sites that break decryption technically and are not on the
predefined decryption exclusion list, add the server hostname to the list.
Content updates keep the list up to date.
- The Local SSL Decryption Exclusion Cache contains servers and websites that the NGFW automatically excludes from decryption for 12 hours
because they break decryption for technical reasons, provided that the
decryption profile applied to the traffic allows unsupported modes. If
unsupported modes are blocked, then the traffic is blocked instead of added
to the local cache.
Traffic that you choose not to decrypt because of business, regulatory, personal, or
other reasons, such as financial-services, health-and-medicine, or
government traffic.
Create a policy-based decryption
exclusion to exclude this traffic based on source, destination, URL
category, or service.
To increase visibility into traffic and reduce the
attack surface as much as possible, don’t make decryption exceptions unless you
must.
Whether adding an entry to a custom SSL decryption exclusion list, a custom URL category,
or external dynamic list, or other object to use in a policy-based exception, use
asterisks (*) as wildcards to create an entry that corresponds to multiple hostnames
associated with a domain. Asterisks behave the same way that carets (^) behave for
URL category exceptions—each asterisk controls
one variable subdomain (label) in the hostname. This enables you to create both very
specific and very general exclusions.
Example Decryption Exclusion Entries:
mail.*.com matches mail.company.com but does not match mail.company.sso.com
*.company.com matches tools.company.com but does not match
eng.tools.company.com
*.*.company.com matches eng.tools.company.com but does not match
eng.company.com
*.*.*.company.com matches corp.exec.mail.company.com but does not match
corp.mail.company.com
mail.google.* matches mail.google.com but does not match mail.google.uk.com
mail.google.*.* matches mail.google.co.uk but does not match mail.google.com
To exclude video-stats.video.google.com from decryption but not video.google.com, add
*.*.google.com to the SSL decryption exclusion list.