https://live.paloaltonetworks.com/t5/web-proxy-discussions/ssl-decryption-exclusion-or-decryption-policy/m-p/1239010#M64 <P>Hello,</P> <P>&nbsp;</P> <P>I have a host unsuccessfully attempting to connect to AWS. The firewall is resetting the connection, based on packet captures.</P> <P>&nbsp;</P> <P>Which would be the best way to exclude this traffic from decryption: the SSL decryption exclusion list or a decryption policy? I tried adding the source host to an existing no-decryption policy, but it still hit the decryption policy, despite the no-decryption rule being above the decryption rule.</P> <P>I've also tried excluding the Amazon AWS address by using the SSL decryption exclusion list, but this fails, as well. I suspect, though, I'm not inputting the wildcard and domain correctly.</P> <P>&nbsp;</P> <P>That said, what would be the best way to accomplish the goal?</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 29 Sep 2025 12:12:43 GMT DamianCleveland 2025-09-29T12:12:43Z https://live.paloaltonetworks.com/t5/web-proxy-discussions/ssl-decryption-exclusion-or-decryption-policy/m-p/1239010#M64 <P>Hello,</P> <P>&nbsp;</P> <P>I have a host unsuccessfully attempting to connect to AWS. The firewall is resetting the connection, based on packet captures.</P> <P>&nbsp;</P> <P>Which would be the best way to exclude this traffic from decryption: the SSL decryption exclusion list or a decryption policy? I tried adding the source host to an existing no-decryption policy, but it still hit the decryption policy, despite the no-decryption rule being above the decryption rule.</P> <P>I've also tried excluding the Amazon AWS address by using the SSL decryption exclusion list, but this fails, as well. I suspect, though, I'm not inputting the wildcard and domain correctly.</P> <P>&nbsp;</P> <P>That said, what would be the best way to accomplish the goal?</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 29 Sep 2025 12:12:43 GMT https://live.paloaltonetworks.com/t5/web-proxy-discussions/ssl-decryption-exclusion-or-decryption-policy/m-p/1239010#M64 DamianCleveland 2025-09-29T12:12:43Z https://live.paloaltonetworks.com/t5/web-proxy-discussions/ssl-decryption-exclusion-or-decryption-policy/m-p/1245979#M66 <P>Hello&nbsp;<SPAN>&nbsp;</SPAN><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><A id="link_10" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70768" target="_self" aria-label="View Profile of DamianCleveland"><SPAN class="">DamianCleveland ,</SPAN></A></SPAN></P> <P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><SPAN class="">Hope you are doing well...</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><SPAN class="">Try creating AWS EDL (Extenal dynamic list )object depend on the service you trying to access in AWS and add this under URL category of your decryption&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><SPAN class="">How to create EDL:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list-from-the-edl-hosting-service/create-an-external-dynamic-list-using-the-edl-hosting-service" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list-from-the-edl-hosting-service/create-an-external-dynamic-list-using-the-edl-hosting-service</A></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><SPAN class="">AWS EDL Hosting URL list:&nbsp;<A href="https://docs.paloaltonetworks.com/resources/edl-hosting-service?ref=packetswitch.co.uk" target="_blank">https://docs.paloaltonetworks.com/resources/edl-hosting-service?ref=packetswitch.co.uk</A></SPAN></SPAN></P> <P>&nbsp;</P> <P><FONT color="#666666"><SPAN>If this info helps marks this as answered ...cheers:)</SPAN></FONT></P> <P>&nbsp;</P> Tue, 20 Jan 2026 07:18:18 GMT https://live.paloaltonetworks.com/t5/web-proxy-discussions/ssl-decryption-exclusion-or-decryption-policy/m-p/1245979#M66 Vijayanand 2026-01-20T07:18:18Z