Palo Alto Networks Knowledgebase: SSL Decrypt Sites Being Blocked by Default Rule
SSL Decrypt Sites Being Blocked by Default Rule
Created On 02/07/19 23:40 PM - Last Updated 02/07/19 23:40 PM
All SSL encrypted sites to be decrypted by the firewall are blocked by a default rule and not hitting the allow rule which preceeds it.
If a policy is set for the application "'web-browsing" and the service is set as "application-default", SSL traffic will never hit the policy as it is coming in on port 443. The default port for "web-browsing" is port 80. Even though the application is being seen as "web-browsing" the port is not the default and traffic will go to the next matching policy. Setting the service to "any' in the allow rule will resolve the issue.