>
    Strata Copilot
    Exclude a Server from Decryption for Technical Reasons
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Decryption Exclusions
    5. Exclude a Server from Decryption for Technical Reasons
    Download PDF
    Network Security

    Exclude a Server from Decryption for Technical Reasons

    Table of Contents

    Exclude a Server from Decryption for Technical Reasons

    Add servers that break decryption for technical reasons, such as an internal custom application, to the SSL decryption exclusion list to automatically exclude them from decryption.
    Where Can I Use This?What Do I Need?
    No separate license required for decryption when using NGFWs or Prisma Access.
    Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
    Sometimes applications, websites, or services encounter technical issues when decryption is attempted. Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers. For HTTP public key pinning (HPKP), most browsers that use HPKP permit Forward Proxy decryption as long as you install the enterprise CA certificate (or the certificate chain) on the client. The most common sites that break decryption or do not work optimally are included in Palo Alto Networks predefined decryption exclusion list.
    If decryption breaks an important application or service technically, you can add the hostname of the site hosting the application or service to a custom SSL decryption exclusion list. The Next-Generation Firewall (NGFW) doesn’t decrypt, inspect, or apply Security policy rules or decryption policy rules to traffic on this list. For example, an internal custom application that breaks decryption but is business-critical should be added to the list so the custom application traffic is allowed. If a website whose applications and services break decryption technically is not on either the predefined or custom decryption exclusion list, it is blocked. For security purposes, be sure that only sites you need for business purposes are added to this list.
    Before adding a custom exclusion, check the predefined exclusion list. If the hostname is already listed, a custom entry is not required.
    The SSL decryption exclusion list is not for sites you intentionally do not decrypt for legal, regulatory, business, or privacy reasons. For traffic you choose not to decrypt, create a policy-based decryption exclusion.
    If the technical reason for excluding a site from decryption is an incomplete certificate chain, the NGFW doesn’t automatically fix the chain as a browser would. If you need to add a site to the SSL decryption exclusion list, review the site to ensure it’s a legitimate business site, then download the missing sub-CA certificates and load and deploy them onto the NGFW or an NGFW or Prisma Access management interfaces.
    After a server is added to the SSL decryption exclusion list, the NGFW compares the server hostname in the decryption exclusion entry against both the Server Name Indication (SNI) in the client hello message and the Common Name (CN) in the server certificate. If either the SNI or CN matches the entry, the NGFW does not decrypt the traffic.

    Exclude a Server from Decryption for Technical Reasons (Strata Cloud Manager)

    Add servers to the Global Decryption Exclusions list to exclude them from decryption for technical, business, regulatory, personal, or other reasons.
    1. Log in to Strata Cloud Manager.
    2. Navigate to the Global Decryption Exclusions settings.
      Select ConfigurationNGFW and Prisma AccessSecurity ServicesDecryption.
    3. Add an entry to the Custom Exclusions list.
      1. Click the + (plus icon).
      2. Enter the Hostname of the website or application you want to exclude from decryption. The hostname is case-sensitive.
        Make sure that the hostname is unique for each entry. If the hostname of a predefined exclusion matches the hostname of a custom entry, the custom entry takes precedence.
        You can use wildcards to exclude multiple hostnames associated with a domain. The NGFW does not decrypt the sessions if the server presents a Common Name (CN) that matches the domain.
      3. (Optional) Enter a Description.
      4. Save your entry.
    4. Commit your changes.
      Select Push ConfigPush.

    Exclude a Server from Decryption for Technical Reasons (PAN-OS)

    1. Log in to the web interface.
    2. Navigate to the SSL Decryption Exclusions list.
      Select DeviceCertificate ManagementSSL Decryption Exclusions.
    3. Add a new decryption exclusion, or select an existing custom entry to modify.
      1. Enter the hostname of the website or application you want to exclude from decryption. The hostname is case-sensitive.
        Make sure that the hostname field is unique for each custom entry. If a predefined exclusion matches a custom entry, the custom entry takes precedence.
        You can use wildcards to exclude multiple hostnames associated with a domain. The NGFW does not decrypt the sessions if the server presents a Common Name (CN) that matches the domain.
      2. (Optional) To share the exclusion across all virtual systems in a multiple virtual system NGFW, select Shared.
      3. Exclude the application from decryption.
        In contrast, you can deselect this option to begin decrypting an entry that was previously excluded from decryption.
      4. Click OK.
    4. Commit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.