Palo Alto Networks Knowledgebase: How to Exclude a URL from SSL Decryption

How to Exclude a URL from SSL Decryption

9399
Created On 02/08/19 00:08 AM - Last Updated 02/08/19 00:08 AM
Policy
Resolution

Overview

This document describes the CLI commands for adding/removing URLs to/from the SSL-exclude-list for exclusion from the SSL decryption.

 

Details

For example, if there is a policy to decrypt sessions for the category "shopping", but the wish is to exclude and not decrypt sessions to a site categorized as shopping (such as www.amazon.com), the single URL can be excluded by entering the following commands:

> configure

# set shared ssl-decrypt ssl-exclude-cert www.amazon.com
# commit

 

The result will create an exclude rule for a single URL. The browser may need to be refreshed after adding the exclusion rule to have it recognize the actual server certificate, as opposed to the self-signed certificate from the Palo Alto Networks device.

 

The command configuration mode command, show shared ssl-decrypt, will display the entries in the exclude cache:

# show shared ssl-decrypt

ssl-decrypt {

  ssl-exclude-cert [ www.amazon.com www.yahoo.com];

 

Note: In the event that adding these entries traffic is still reflected as decrypted in the traffic logs after making the above changes, it may be required to clear the SSL Decryption certificate cache to enforce the change.
> debug dataplane reset ssl-decrypt certificate-cache

 

To revert, run the following commands:

> configure

# delete shared ssl-decrypt ssl-exclude-cert www.amazon.com
# commit

 

owner: hmistry



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHpCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language