Decryption Exclusions

Some applications can’t be decrypted for technical reasons and others for business, compliance, or regulatory reasons. Make decryption exceptions only when necessary.
You can exclude two types of traffic from decryption:
  • Traffic that breaks decryption for
    technical reasons
    , such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (
    Certificate Management
    SSL Decryption Exclusion
    ) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.
    If the Decryption profile allows
    Unsupported Modes
    (sessions with client authentication, unsupported versions, or unsupported cipher suites), the firewall automatically adds servers and applications that use the allowed unsupported modes to the its Local SSL Decryption Exclusion Cache (
    Certificate Management
    SSL Decryption Exclusion
    Show Local Exclusion Cache
    ). When you block unsupported modes, you increase security but you also block communication with applications that use those modes.
  • Traffic that you
    not to decrypt because of business, regulatory, personal, or other reasons, such as financial-services, health-and-medicine, or government traffic. You can choose to exclude traffic based on source, destination, URL category, and service.
You can use asterisks (*) as wildcards to create decryption exclusions for multiple hostnames associated with a domain. Asterisks behave the same way that carets (^) behave for URL category exceptions—each asterisk controls one variable subdomain (label) in the hostname. This enables you to create both very specific and very general exclusions. For example:
  • mail.*.com matches but does not match
  • * matches but does not match
  • *.* matches but does not match
  • *.*.* matches, but does not match
  •* matches, but does not match
  •*.* matches, but does not match
For example, to use wildcards to exclude from decryption but not to exclude from decryption, exclude *.*
Regardless of the number of asterisk wildcards that precede a hostname (without a non-wildcard label preceding the hostname), the hostname matches the entry. For example, *, *.*, and *.*.* all match However, *.dev.* does not match because one label (dev) is not a wildcard.
To increase visibility into traffic and reduce the attack surface as much as possible, don’t make decryption exceptions unless you must.

Recommended For You