How to Enable/Reset the Opt-Out Page for SSL Decryption

How to Enable/Reset the Opt-Out Page for SSL Decryption

Created On 09/25/18 17:52 PM - Last Modified 07/19/22 23:07 PM



This document describes how to enable the opt-out response page to notify users when traffic is inspected or decrypted. The opt-out page can be enabled from the CLI or on the PAN-OS Web GUI. When enabled, the response page below displays once every 24 hours when user traffic is being inspected or decrypted.

Note: Edit the response page at Device > Response Pages > SSL Decryption Opt-Out Page.



From the CLI

Run the following commands to enable the opt-out page:

  1. > configure
  2. # set deviceconfig setting ssl-decrypt notify-user yes
  3. # commit


From the PAN-OS Web GUI

On PAN-OS 6.1, 7.0, 7.1, 8.0:

  1. Go to Device > Response Pages.
  2. Click 'Disabled' for SSL Decryption Opt-out Page.
  3. On the SSL Opt-out Page dialog, check Enable SSL Opt-out Page and Click OK.
  4. Commit the Changes.


To verify the setting, run the following CLI command:

> show system setting ssl-decrypt setting

vsys                          : vsys1
Forward Proxy Ready           : yes
Inbound Proxy Ready           : no
Disable ssl                   : no
Disable ssl-decrypt           : no
Notify user                   : yes

Proxy for URL                 : yes
Wait for URL                  : no
Block revoked Cert            : yes
Block timeout Cert            : no
Block unknown Cert            : no
Cert Status Query Timeout     : 5
URL Category Query Timeout    : 5
Use Cert Cache                : yes
Verify CRL                    : no
Verify OCSP                   : no
CRL Status receive Timeout    : 5
OCSP Status receive Timeout   : 5


Command to display the the contents of the cache:

> show system setting ssl-decrypt notify-cache


Command to reset the cache so the user can be presented with the opt-out page:

> debug dataplane reset ssl-decrypt notify-cache

+ source   source IP address

  <Enter>  Finish input


owner: sraghunandan

  • Print
  • Copy Link