Traffic not being decrypted for SSL sessions using client certificates.

• The firewall decryption profile and the certificates used for decryption appear to be correct.
• We are expecting that traffic from the source zone to the destination zone should match the decryption rule but the traffic logs do not show that it was decrypted.
• We also do not see that domain example.host.com added to the decryption exclusion list on GUI: Device > Certificate Management > SSL Decryption Exclusion
• To troubleshoot further we look at the following on the firewall CLI:

VSYS SERVER APP TIMEOUT REASON DECRYPTED_APP PROFILE EXCLUSION_LIST_MATCH
1 65.210.90.11:443 ssl 9185 SSL_CLIENT_CERT undecided THD-Decryption-profile No
1 98.115.16.231:443 ssl 4002 SSL_CLIENT_CERT undecided THD-Decryption-profile No

• After setting up the filters for the traffic on the firewall we can also look at the corresponding global counters:

show counter global | match proxy
proxy_exclude_by_cache 11009 0 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion cache

• All PAN-OS
• Palo Alto firewall.
• SSL Decryption configured.

In the "show system setting ssl-decrypt exclude-cache" output, the "SSL_CLIENT_CERT" means that the site is doing certificate-based client authentication.

A client certificate can't be spoofed because you cannot generate a client certificate on the fly that matches the CA requested by the server, so the firewall adds it to the exclude cache.

The global counter proxy_exclude_by_cache is incrementing because the client sends a certificate verify message, which we do not support