Decryption rule which action set to do not decrypt does not work for a specific site

Decryption rule which action set to do not decrypt does not work for a specific site

413
Created On 03/07/25 02:23 AM - Last Modified 10/27/25 16:17 PM


Symptom


  • Decryption rule is configured matching URLS with the action set to "no decrypt".
  • Some communications are decrypted even though they set to no decrypt.

Environment


  • Prisma Access(SASE)
  • Supported PAN-OS
  • Decryption

Cause


  • URL category is used to match the traffic for the decryption rule which action set to "no decrypt".
  • These URLs needs client auth. 
  • For such kind of web site, the server must be added in the decryption exclusion list.
  • Refer to: Exclude Server From Decryption For Technical Reasons.

Resolution


  1. Add the server to the SSL decryption exclusion list.
  2. This will avoid the certification pinning or client cert auth sites from decryption error.
  3. Refer to the Documentation for details.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HFBKCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail