End-of-Life (EoL)

Management for Certificates Excluded from Decryption

You now have increased flexibility and control to manage traffic excluded from decryption. Centralized management for decryption exclusions allows you to:
  • View the applications and services that the firewall does not decrypt. Palo Alto Networks provides predefined decryption exclusions to indicate applications and services that do not function correctly when the firewall decrypts them. The Applications and Threats content update (or the Applications content update, if you do not have a Threat Prevention license) include updates and additions to predefined decryption exclusions.
  • Exclude a server from decryption based on the server hostname. All traffic originating from or destined to that server is excluded from decryption. Certificates enabled as SSL exclude certificates in PAN-OS 7.1, where a targeted server was excluded from decryption based on the CN in the server certificate, are automatically recreated as custom decryption exclusions in PAN-OS 8.0.
Go over the following steps to create a decryption exclusion and to view both custom and predefined exclusions.
  1. View decryption exclusions.
    Select
    Device
    Certificate Management
    SSL Decryption Exclusions
    and view the list of both predefined and custom decryption exclusions.
    Entry details show whether the exclusion is predefined or custom, provides a description of the exclusion, and indicates if the exclusion is enabled:
    • Location—Indicates that an entry is predefined, or, for custom entries, indicates whether the entry is shared across all virtual systems or if it’s specific to a single virtual system.
    • Exclude from decryption—A selected checkbox indicates that the firewall is actively enforcing the decryption exclusion.
  2. Add a new decryption exclusion, or modify an existing one.
    1. Select
      Device
      Certificate Management
      SSL Decryption Exclusions
      .
    2. Add
      a new entry, or select an entry to modify it.
    3. (
      Custom exclusions only
      ) Enter the
      hostname
      of the website or application you want to exclude from decryption. This hostname is compared against the SNI requested by the client or the CN presented in the server certificate.
      To exclude all hostnames associated with a certain domain from decryption, you can use a wildcard asterisk (*). In this case, all sessions where the server presents a CN that contains the domain are excluded from decryption.
      Make sure that the hostname field is unique for each custom entry. If a predefined exclusion matches a custom entry, the custom entry takes precedence.
    4. Optionally, select
      Shared
      to share the exclusion across all virtual systems in a multiple virtual system firewall.
    5. Exclude
      the application from decryption, or clear this checkbox to start decrypting an entry that was previously excluded from decryption.
    6. Click
      OK
      to save the new exclusion entry.
  3. Enable or disable one or more exclusions at a time.
    1. Select
      Device
      Certificate Management
      SSL Decryption Exclusions
      .
    2. Select one or more decryption exclusion entries.
    3. Click
      Enable
      to exclude all selected entries from decryption, or
      Disable
      to turn on decryption for the selected entries.
  4. Remove outdated decryption exclusions.
    Palo Alto Networks removes decryption exclusions from the list when they become obsolete (for example, when an application that decryption previously caused to break now supports decryption). However, if a predefined decryption exclusion is disabled, it is not automatically removed the list.
    Select
    Show Obsoletes
    to check if there are disabled, predefined exclusions on your list that Palo Alto Networks that are no longer needed.

Recommended For You