Palo Alto Networks Knowledgebase: SSL Decrypt Sites Being Blocked by Default Rule

SSL Decrypt Sites Being Blocked by Default Rule

Created On 02/07/19 23:40 PM - Last Updated 02/07/19 23:40 PM


All  SSL encrypted sites to be decrypted by the firewall are blocked by a default rule and not hitting the allow rule which preceeds it.



If a policy is set for the application "'web-browsing" and the service is set as "application-default", SSL traffic will never hit the policy as it is coming in on port 443.  The default port for "web-browsing" is port 80.  Even though the application is being seen as "web-browsing" the port is not the default and traffic will go to the next matching policy.  Setting the service to "any'  in the allow rule will resolve the issue.


Screen Shot 2014-09-19 at 4.43.33 PM.png


owner:  nayubi

  • Print
  • Copy Link

Choose Language