Overview
This document describes the CLI commands for adding/removing URLs to/from the SSL-exclude-list for exclusion from the SSL decryption.
Details
For example, if there is a policy to decrypt sessions for the category "shopping", but the wish is to exclude and not decrypt sessions to a site categorized as shopping (such as www.amazon.com), the single URL can be excluded by entering the following commands:
> configure
# set shared ssl-decrypt ssl-exclude-cert www.amazon.com
# commit
The result will create an exclude rule for a single URL. The browser may need to be refreshed after adding the exclusion rule to have it recognize the actual server certificate, as opposed to the self-signed certificate from the Palo Alto Networks device.
The command configuration mode command, show shared ssl-decrypt, will display the entries in the exclude cache:
# show shared ssl-decrypt
ssl-decrypt {
ssl-exclude-cert [ www.amazon.com www.yahoo.com];
Note: In the event that adding these entries traffic is still reflected as decrypted in the traffic logs after making the above changes, it may be required to clear the SSL Decryption certificate cache to enforce the change.
> debug dataplane reset ssl-decrypt certificate-cache
To revert, run the following commands:
> configure
# delete shared ssl-decrypt ssl-exclude-cert www.amazon.com
# commit
owner: hmistry