How to Exclude a URL from SSL Decryption

How to Exclude a URL from SSL Decryption

Created On 09/25/18 17:41 PM - Last Modified 02/08/19 00:08 AM



This document describes the CLI commands for adding/removing URLs to/from the SSL-exclude-list for exclusion from the SSL decryption.



For example, if there is a policy to decrypt sessions for the category "shopping", but the wish is to exclude and not decrypt sessions to a site categorized as shopping (such as, the single URL can be excluded by entering the following commands:

> configure

# set shared ssl-decrypt ssl-exclude-cert
# commit


The result will create an exclude rule for a single URL. The browser may need to be refreshed after adding the exclusion rule to have it recognize the actual server certificate, as opposed to the self-signed certificate from the Palo Alto Networks device.


The command configuration mode command, show shared ssl-decrypt, will display the entries in the exclude cache:

# show shared ssl-decrypt

ssl-decrypt {

  ssl-exclude-cert [];


Note: In the event that adding these entries traffic is still reflected as decrypted in the traffic logs after making the above changes, it may be required to clear the SSL Decryption certificate cache to enforce the change.
> debug dataplane reset ssl-decrypt certificate-cache


To revert, run the following commands:

> configure

# delete shared ssl-decrypt ssl-exclude-cert
# commit


owner: hmistry

  • Print
  • Copy Link

Choose Language