Some applications can’t be decrypted for technical reasons
and some traffic can’t be decrypted for business, compliance, or
regulatory reasons. Make decryption exceptions only when you must.
You can exclude two types of traffic from decryption:
Traffic that breaks decryption for
such as using a pinned certificate, an incomplete certificate chain,
unsupported ciphers, or mutual authentication (decrypting blocks
the traffic). Palo Alto Networks provides a predefined SSL Decryption
Exclusion list (
SSL Decryption Exclusion
that excludes hosts with applications and services that are known
to break decryption technically from SSL Decryption by default.
If you encounter sites that break decryption technically and are
not on the SSL Decryption Exclusion list, you can add them to list
manually by server hostname. The firewall blocks sites whose applications
and services break decryption technically unless you add them to
the SSL Decryption Exclusion list.
Traffic that you
not to decrypt because of business,
regulatory, personal, or other reasons, such as financial-services,
health-and-medicine, or government traffic. You can choose to exclude
traffic based on source, destination, URL category, and service.
To increase visibility into traffic and reduce the attack surface
as much as possible, don’t make decryption exceptions unless you