"a.b.google.com" does not match "*.google.com" specified in SSL Decryption Exclusion
8151
Created On 11/21/19 02:48 AM - Last Modified 06/01/23 07:07 AM
Symptom
Traffic for a.b.google.com is decrypted even when *.google.com is specified in SSL Decryption Exclusion under Device -> Certificate Management
Environment
Palo Alto Networks firewall configured with a SSL Decryption Exclusion under Device -> Certificate Management
Cause
Currently SSL Decryption Exclusion only supports "^" (caret). Asterisk is internally transferred to caret.
Asterisks behave the same way that carets (^) behave for URL category exceptions—each asterisk controls one variable subdomain (label) in the hostname.
Resolution
For example, to use wildcards to exclude "video-stats.video.google.com" from decryption but not to exclude "video.google.com" from decryption, exclude *.*.google.com.
Here is another examples that show you how to use asterisk;
- mail.*.com matches mail.company.com but does not match mail.company.sso.com.
- *.company.com matches tools.company.com but does not match eng.tools.company.com.
- *.*.company.com matches eng.tools.company.com but does not match eng.company.com.
- *.*.*.company.com matches corp.exec.mail.company.com, but does not match corp.mail.company.com.
- mail.google.* matches mail.google.com, but does not match mail.google.uk.com.
- mail.google.*.* matches mail.google.co.uk, but does not match mail.google.com.
Additional Information
To confirm the detail, please refer to Administrators Guide;
PAN-OS Administrator’s Guide Version 8.1
PAN-OS Administrator’s Guide Version 9.0