Focus

Local Decryption Exclusion Cache

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Exclude a Server from Decryption for Technical Reasons

Create a Policy-Based Decryption Exclusion

Local Decryption Exclusion Cache

Automatically add Decryption exclusions to the local exclusion cache to allow application traffic that uses unsupported modes.

The firewall can add servers to the Local Decryption Exclusion cache (DeviceCertificate ManagementSSL Decryption ExclusionShow Local Exclusion Cache) and exclude their traffic from decryption automatically for 12 hours if that traffic breaks decryption for technical reasons such as a pinned certificate or an unsupported certificate. When the Decryption profile allows unsupported modes—sessions with client authentication, unsupported versions, or unsupported cipher suites—and the allowed traffic uses an unsupported mode, then the device automatically adds the server to the local exclusion cache and bypasses decryption. The firewall doesn’t decrypt, inspect, and enforce Security policy on traffic that the Local Decryption Exclusion cache allows because the traffic remains encrypted. Ensure that the sites you exclude from decryption (by applying a Decryption profile that allows unsupported modes) are sites with applications or services you need for business.

Blocking unsupported modes blocks communication with applications that use those modes to increase security. Client authentication is a common reason for excluding applications from decryption, which is why the best practice is to block unsupported versions and unsupported ciphers and to allow client authentication in the Decryption profile. If the Decryption profile allows client authentication, then when a client starts a session with a server that requires the client to authenticate, instead of blocking the traffic because the firewall can’t decrypt it, the firewall adds the application and server to the local exclusion cache and allows the traffic.

If you allow traffic from sites that use client authentication and are not in the predefined sites on the SSL Decryption Exclusion list, create a Decryption profile that allows sessions with client authentication. Add the profile to a Decryption policy rule that applies only to the server(s) that host the application. To increase security even more, you can require Multi-Factor Authentication to complete the user login process. Alternatively, you can add the site to the SSL Decryption Exclusion list to skip decryption without using an explicit Decryption policy.

The firewall adds Local SSL Decryption Exclusion cache entries based on the Decryption policy and profile that controls the application traffic. If you don’t block Unsupported Mode Checks in the Decryption profile, the firewall adds entries to the Local SSL Decryption Exclusion cache when:

The client supports only TLSv1.2 and the server supports only TLSv1.3. In the local cache, the Reason shown for this exclusion is SSL_UNSUPPORTED.
The client supports TLSv1.3 and TLSv1.2, and the server supports only TLSv1.2. In this case, the Reason column shows TLS13_UNSUPPORTED.

When the Reason for adding a server to the Local SSL Decryption Exclusion cache is TLS13_UNSUPPORTED, the firewall downgrades the protocol to TLSv1.2 and the firewall decrypts and inspects the traffic.
The client advertises a specific cipher that the server doesn’t support.
The client advertises a specific curve that the server doesn’t support.

The local cache contains a maximum of 1,024 entries. You can’t add local exclusions to the Local SSL Decryption Exclusion cache manually (but you can add decryption exclusions to the SSL Decryption Exclusion list manually).

You must have superuser or Certificate Management administrative access to view the Local SSL Decryption Exclusion cache. To view it, navigate to DeviceCertificate ManagementSSL Decryption Exclusion and then click Show Local Exclusion Cache near the bottom of the screen. The local exclusion cache displays the application, the server, the reason for inclusion in the cache, the Decryption profile that controls the traffic, and more for each entry. You can select and delete entries from the local cache manually.

You can also delete cached entries using the CLI:

clear ssl-decrypt exclude-cache [server <value>] [application <value>]

If anyone attempts to access the same server before the local cache entry ages out (12 hours), the firewall matches the session to the cache entry, bypasses decryption, and allows the traffic. The firewall flushes the local exclusion cache if you change the Decryption policy or profile because those changes may affect the classification of the session. If the cache becomes full, the firewall purges the oldest entries as new entries arrive.

Exclude a Server from Decryption for Technical Reasons

Create a Policy-Based Decryption Exclusion

Next-Generation Firewall Docs

Local Decryption Exclusion Cache

Next-Generation Firewall Docs

Local Decryption Exclusion Cache

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner