Palo Alto Networks Predefined Decryption Exclusions

The firewall automatically bypasses decryption for sites that are known to break decryption for technical reasons such as a pinned certificate (the traffic is still subject to Security policy).
The firewall provides a predefined SSL Decryption Exclusion list to exclude from decryption commonly used sites that break decryption because of technical reasons such as pinned certificates and mutual authentication. The predefined decryption exclusions are enabled by default and Palo Alto Networks delivers new and updated predefined decryption exclusions to the firewall as part of the Applications and Threats content update (or the Applications content update, if you do not have a Threat Prevention license). The firewall does not decrypt traffic that matches predefined exclusions and allows the encrypted traffic based on the Security policy that governs that traffic. However, the firewall can’t inspect the encrypted traffic or enforce Security policy on it.
The SSL Decryption Exclusion list is
not
for sites that you choose not to decrypt for legal, regulatory, business, privacy, or other volitional reasons, it is only for sites that break decryption technically (decrypting these sites blocks their traffic). For traffic such as IP addresses, users, URL categories, services, and even entire zones that you choose not to decrypt, Create a Policy-Based Decryption Exclusion.
Because the traffic of sites on the SSL Decryption Exclusion list remains encrypted, the firewall does not inspect or provide further security enforcement the traffic. You can disable a predefined exclusion. For example, you may choose to disable predefined exclusions to enforce a strict security policy that allows only applications and services that the firewall can inspect and on which the firewall can enforce Security policy. However, the firewall blocks sites whose applications and services break decryption technically if they are not enabled on the SSL Decryption Exclusion list.
You can view and manage all Palo Alto Networks predefined SSL decryption exclusions directly on the firewall (
Device
Certificate Management
SSL Decryption Exclusions
).
ssl-decryption-exclusion-list.png
The
Hostname
displays the name of the host that houses the application or service that breaks decryption technically. You can also
Add
hosts to Exclude a Server from Decryption for Technical Reasons if it is not on the predfined list.
The
Description
displays the reason the firewall can’t decrypt the site’s traffic, for example,
pinned-cert
(a pinned certificate) or
client-cert-auth
(client authentication).
The firewall automatically removes enabled predefined SSL decryption exclusions from the list when they become obsolete (the firewall removes an application that decryption previously caused to break when the application becomes supported with decryption).
Show Obsoletes
checks if any disabled predefined exclusions remain on the list and are no longer needed. The firewall does not remove disabled predefined decryption exclusions from the list automatically, but you can select and
Delete
obsolete entries.
You can select a hostname’s checkbox and then click
Disable
to remove predefined sites from the list. Use the SSL Decryption Exclusion list only for sites that break decryption for technical reasons, don’t use it for sites that you choose not to decrypt.

Related Documentation