Palo Alto Networks Knowledgebase: How to Exclude a URL from SSL Decryption
How to Exclude a URL from SSL Decryption
Created On 02/08/19 00:08 AM - Last Updated 02/08/19 00:08 AM
This document describes the CLI commands for adding/removing URLs to/from the SSL-exclude-list for exclusion from the SSL decryption.
For example, if there is a policy to decrypt sessions for the category "shopping", but the wish is to exclude and not decrypt sessions to a site categorized as shopping (such as www.amazon.com), the single URL can be excluded by entering the following commands:
The result will create an exclude rule for a single URL. The browser may need to be refreshed after adding the exclusion rule to have it recognize the actual server certificate, as opposed to the self-signed certificate from the Palo Alto Networks device.
The command configuration mode command, show shared ssl-decrypt, will display the entries in the exclude cache:
Note: In the event that adding these entries traffic is still reflected as decrypted in the traffic logs after making the above changes, it may be required to clear the SSL Decryption certificate cache to enforce the change. > debug dataplane reset ssl-decrypt certificate-cache