There are a number of Domains/SSL Certificates that are excluded from SSL Decryption.
Starting with PAN-OS 8.0 and newer, the SSL exclusion is handled inside of the Certificates section of the WebUI.
To see the full list of domains/SSL certificates that are excluded from SSL Dectyption, Inside of the WebGUI > Device > Certificate Management > SSL Decryption Exclusion.
The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device.
This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.
In PAN-OS 7.1 and older, applications were used instead of domains.
These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.