Configure the decryption rule to match to traffic based
on network and policy objects:
Firewall security zones
match to traffic based on the
IP addresses, address objects, and/or address groups
match to traffic based on
. Alternatively, select
exclude the source address list from decryption.
for whom to decrypt traffic.
You can decrypt specific user or group traffic, or decrypt traffic
for certain types of users, such as unknown users or pre-logon users
(users that are connected to GlobalProtect but are not yet logged
Ports and protocols
to set the rule to match to traffic based on
service. By default, the policy rule is set to decrypt
on TCP and UDP ports. You can
or a service group, and optionally set the rule to
match to applications only on the application default ports.
The application-default setting is useful to Configure Decryption Exceptions.
You can exclude applications running on their default ports from
decryption, while continuing to decrypt the same applications when
they are detected on non-standard ports
and URL categories
—Select Service/URL Category and decrypt traffic
An externally-hosted list of URLs that the
firewall retrieves for policy-enforcement (see
External Dynamic Lists
Custom URL categories (see
Palo Alto Networks URL categories. This
option is useful to Configure Decryption Exceptions.
For example, you could create a custom URL category to group sites
that you do not want to decrypt, or you could exclude financial
or healthcare-related sites from decryption based on the Palo Alto
Networks URL categories.
Set the action the policy rule enforces on matching traffic:
the rule can either decrypt matching traffic or exclude matching
traffic from decryption.
and set the policy
for the firewall to perform on matching traffic: