Network Security
Exclude a Server from Decryption for Technical Reasons
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Exclude a Server from Decryption for Technical Reasons
Add servers that break decryption for technical reasons, such as an internal custom
application, to the SSL decryption exclusion list to automatically exclude them from
decryption.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
Sometimes applications, websites, or services encounter technical issues when
decryption is attempted. Reasons that sites break decryption technically include
pinned certificates, client authentication, incomplete certificate chains, and
unsupported ciphers. For HTTP public key pinning (HPKP), most browsers that use HPKP
permit Forward Proxy decryption as long as you install the enterprise CA certificate
(or the certificate chain) on the client. The most common sites that break
decryption or don't work optimally are included in Palo Alto Networks predefined decryption exclusion
list.
If decryption breaks an important application or service technically, you can add the
hostname of the site hosting the application or service to a custom SSL decryption
exclusion list. The Next-Generation Firewall (NGFW) doesn’t decrypt,
inspect, or apply Security policy rules or decryption policy rules to traffic on
this list. For example, an internal custom application that breaks decryption but is
business-critical should be added to the list so the custom application traffic is
allowed. If a website whose applications and services break decryption technically
is not on either the predefined or custom decryption exclusion list, it is blocked.
For security purposes, be sure that only sites you need for business purposes are
added to this list.
The SSL decryption exclusion list is not for sites you intentionally don’t
decrypt for legal, regulatory, business, privacy, or other volitional reasons.
For traffic (IP addresses, users, URL categories, services, and even entire
zones) you choose not to decrypt, create a policy-based decryption
exclusion.
If the technical reason for excluding a site from decryption is an incomplete
certificate chain, the NGFW doesn’t automatically fix the chain
as a browser would. If you need to add a site to the SSL decryption exclusion
list, review the site to ensure it’s a legitimate business site, then download
the missing sub-CA certificates and load and deploy them onto the NGFW or an NGFW or Prisma Access management
interfaces.
After a server is added to the SSL decryption exclusion list, the NGFW
compares the server hostname that you used to create the decryption exclusion entry
against both the Server Name Indication (SNI) in the client hello message and the
Common Name (CN) in the server certificate. If either the SNI or CN matches the list
entry, the NGFW excludes the traffic from decryption.
Exclude a Server from Decryption for Technical Reasons (Strata Cloud Manager)
Add servers to the Global Decryption Exclusions list to exclude them from decryption
for technical, business, regulatory, personal, or other reasons.
- Log in to Strata Cloud Manager.
- Navigate to the Global Decryption Exclusions settings.Select Manage Configuration NGFW and Prisma Access Security Services Decryption.
- Add an entry to the Custom Exclusions list.
- Click the + (plus icon).
- Enter the Hostname of the website or application you want to exclude from decryption. The hostname is case-sensitive.Make sure that the hostname is unique for each entry. If the hostname of a predefined exclusion matches the hostname of a custom entry, the custom entry takes precedence.You can use wildcards to exclude multiple hostnames associated with a domain. The NGFW does not decrypt the sessions if the server presents a Common Name (CN) that matches the domain.
- (Optional) Enter a Description.
- Save your entry.
- To commit your changes, click Push Config.
Exclude a Server from Decryption for Technical Reasons (PAN-OS)
- Log in to the web interface.
- Navigate to the SSL Decryption Exclusions list.Select DeviceCertificate ManagementSSL Decryption Exclusions.
- Add a new decryption exclusion, or select an existing custom entry to modify.
- Enter the hostname of the website or application you want to exclude from decryption. The hostname is case-sensitive.Make sure that the hostname field is unique for each custom entry. If a predefined exclusion matches a custom entry, the custom entry takes precedence.You can use wildcards to exclude multiple hostnames associated with a domain. The NGFW does not decrypt the sessions if the server presents a Common Name (CN) that matches the domain.
- (Optional) To share the exclusion across all virtual systems in a multiple virtual system NGFW, select Shared.
- Exclude the application from decryption.In contrast, you can deselect this option to begin decrypting an entry that was previously excluded from decryption.
- Click OK.
- Commit your changes.