Network Security
Palo Alto Networks Predefined Decryption Exclusions
Table of Contents
Palo Alto Networks Predefined Decryption Exclusions
Palo Alto Networks predefined decryption exclusions list contains websites that
automatically bypass decryption due to technical incompatibilities like certificate
pinning.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
Palo Alto Networks provides a predefined list of commonly accessed sites that break
decryption or do not work optimally due to technical reasons, such as pinned
certificates and mutual authentication. Websites on the SSL decryption exclusion list
are nondecryptable and excluded from decryption by default. The Next-Generation Firewall
(NGFW) evaluates traffic against Security policy rules to determine
if the encrypted traffic is allowed. It can't inspect or provide further security
enforcement of the traffic because the traffic remains encrypted. Palo Alto Networks
refreshes the predefined decryption exclusions list as part of its Applications and
Threats content updates (or the Applications content update, if you don’t have a Threat
Prevention license).
You can disable a predefined exclusion. For example, you may want to enforce a strict
Security policy rule that allows only applications and services that the NGFW can decrypt and on which it can enforce Security policy rules. The
NGFW blocks sites whose applications and services break decryption
technically if they are not enabled on a predefined or custom exclusion list. Add an entry to the custom decryption exclusion list if it isn't on
the predefined list.
The SSL decryption exclusion list is not for sites that you choose not to decrypt for
legal, regulatory, business, privacy, or other volitional reasons. For traffic, such
as IP addresses, users, URL categories, services, and even entire zones that you
choose not to decrypt, create a no-decryption policy
rule.
To view and manage Palo Alto Networks predefined SSL decryption exclusions directly:
- (PAN-OS and Panorama) Select .
- (Strata Cloud Manager) Select . Then, under Global Decryption Exclusions, by Non-Decryptable Sites (Predefined), click the range of predefined exclusions to open the list.
The Hostname displays the name of the host that houses the
application or service that breaks decryption technically.
The Description (PAN-OS and Panorama) or
Reason for Decryption Reason displays the reason the site’s
traffic is non-decryptable. For example, if pinned certificate is the reason, you'd see
pinned-cert on an NGFW or Panorama and Pinned
Certificate on Strata Cloud Manager.
The NGFW, Panorama, or Strata Cloud Manager automatically removes
enabled predefined SSL decryption exclusions from the list when they become
obsolete (the application becomes supported with decryption). On an NGFW and Panorama, Show Obsoletes checks
if any disabled predefined exclusions remain on the list and are no longer
needed. The NGFW does not remove disabled entries automatically, but you
can select and Delete obsolete entries.
To disable predefined sites in the decryption exclusion list:
- (PAN-OS and Panorama)
- Select .
- Select the check box of the Hostname you want to remove, and then click Disable.
- Commit the configuration.
- (Strata Cloud Manager)
- Select .
- Under Global Decryption Exclusions, by Non-Decryptable Sites (Predefined), click the range of predefined exclusions to open the list.
- Select the check box of the Hostname you want to disable, and then click Disable.
- Push Config