Exclude a Server from Decryption for Technical Reasons

You can add applications that break decryption for technical reasons and aren’t already on the SSL Decryption Exclusion list such as internal custom applications to the list to automatically bypass decryption.
If decryption breaks an important application or service technically (decrypting the traffic blocks it), you can add the hostname of the site that hosts to the application or service to the Palo Alto Networks predefined SSL Decryption Exclusion list to create a custom decryption exception. The firewall doesn’t decrypt, inspect, and enforce Security policy on traffic that the SSL Decryption Exclusion list allows because the traffic remains encrypted, so be sure that the sites you add to the list really are sites with applications or services you need for business. For example, some business-critical internal custom applications may break decryption and you can add them to the list so that the firewall allows the encrypted custom application traffic.
The SSL Decryption Exclusion list is
not
for sites that you choose not to decrypt for legal, regulatory, business, privacy, or other volitional reasons, it is only for sites that break decryption technically. For traffic (IP addresses, users, URL categories, services, and even entire zones) that you choose not to decrypt, Create a Policy-Based Decryption Exclusion.
Reasons that sites break decryption technically include pinned certificates, mutual authentication, incomplete certificate chains, and unsupported ciphers. For HTTP public key pinning (HPKP), most browsers that use HPKP permit Forward Proxy decryption as long as you install the enterprise CA certificate (or the certificate chain) on the client.
If the technical reason for excluding a site from decryption is an incomplete certificate chain, the next-generation firewall doesn’t automatically fix the chain as a browser would. If you need to add a site to the SSL Decryption Exclusion list, manually review the site to ensure it’s a legitimate business site, then download the missing sub-CA certificates and load and deploy them onto the firewall.
After you add a server to the SSL Decryption Exclusion list, the firewall compares the server hostname that you use to define the decryption exclusion against the common name (CN) in the certificate a server presents. If a single server hosts multiple websites using different certificates, the firewall compares the hostname against the server name indication (SNI) that the client presents to indicate the server to which it wants to connect.
  1. Select
    Device
    Certificate Management
    SSL Decryption Exclusions
    .
  2. Add
    a new decryption exclusion, or select an existing custom entry to modify it.
  3. Enter the
    hostname
    of the website or application you want to exclude from decryption.
    The hostname is case-sensitive.
    To exclude all hostnames associated with a certain domain from decryption, you can use a wildcard asterisk (*). In this case, all sessions where the server presents a CN that contains the domain are excluded from decryption.
    Make sure that the hostname field is unique for each custom entry. If a predefined exclusion matches a custom entry, the custom entry takes precedence.
  4. (
    Optional
    ) Select
    Shared
    to share the exclusion across all virtual systems in a multiple virtual system firewall.
  5. Exclude
    the application from decryption. Alternatively, if you are modifying an existing decryption exclusion, you can clear this checkbox to start decrypting an entry that was previously excluded from decryption.
  6. Click
    OK
    to save the new exclusion entry.

Related Documentation