Exclude a Server from Decryption for Technical Reasons

You can add applications that break decryption for technical reasons and aren’t already on the SSL Decryption Exclusion list such as internal custom applications to the list to automatically bypass decryption.
If decryption breaks an important application or service technically (decrypting the traffic blocks it), you can add the hostname of the site that hosts to the application or service to the Palo Alto Networks predefined SSL Decryption Exclusion list to create a custom decryption exception. The firewall doesn’t decrypt, inspect, and enforce Security policy on traffic that the SSL Decryption Exclusion list allows because the traffic remains encrypted, so be sure that the sites you add to the list really are sites with applications or services you need for business. For example, some business-critical internal custom applications may break decryption and you can add them to the list so that the firewall allows the encrypted custom application traffic.
The SSL Decryption Exclusion list is not for sites that you choose not to decrypt for legal, regulatory, business, privacy, or other volitional reasons, it is only for sites that break decryption technically. For traffic (IP addresses, users, URL categories, services, and even entire zones) that you choose not to decrypt, Create a Policy-Based Decryption Exclusion.
Reasons that sites break decryption technically include pinned certificates, mutual authentication, incomplete certificate chains, and unsupported ciphers. For HTTP public key pinning (HPKP), most browsers that use HPKP permit Forward Proxy decryption as long as you install the enterprise CA certificate (or the certificate chain) on the client.
If the technical reason for excluding a site from decryption is an incomplete certificate chain, the next-generation firewall doesn’t automatically fix the chain as a browser would. If you need to add a site to the SSL Decryption Exclusion list, manually review the site to ensure it’s a legitimate business site, then download the missing sub-CA certificates and load and deploy them onto the firewall.
After you add a server to the SSL Decryption Exclusion list, the firewall compares the server hostname that you use to define the decryption exclusion against the common name (CN) in the certificate a server presents. If a single server hosts multiple websites using different certificates, the firewall compares the hostname against the server name indication (SNI) that the client presents to indicate the server to which it wants to connect.
  1. Select DeviceCertificate ManagementSSL Decryption Exclusions.
  2. Add a new decryption exclusion, or select an existing custom entry to modify it.
  3. Enter the hostname of the website or application you want to exclude from decryption.
    To exclude all hostnames associated with a certain domain from decryption, you can use a wildcard asterisk (*). In this case, all sessions where the server presents a CN that contains the domain are excluded from decryption.
    Make sure that the hostname field is unique for each custom entry. If a predefined decryption exclusion hostname matches the hostname of a custom entry, the custom entry takes precedence.
  4. (Optional) Select Shared to share the exclusion across all virtual systems in a multiple virtual system firewall.
  5. Exclude the application from decryption.
    The following example shows an SSL Decryption exclusion for all hostnames associated with the fictitious site pinnedcerts.com, shares the exception with all virtual systems on the firewall, provides the reason for the exclusion (the Description, which displays in the Description column of the SSL Decryption Exclusion list), and excludes the traffic from decryption.
    create-ssl-decryption-exclusion.png
    Alternatively, if you modify an existing decryption exclusion, you can clear the Exclude checkbox to start decrypting traffic from that host. However, if the traffic still breaks decryption technically, the firewall blocks it.
  6. Click OK to save the new SSL Decryption Exclusion list entry.

Related Documentation