https://live.paloaltonetworks.com/t5/general-topics/decryption-exclusion-methods/m-p/461459#M102170 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/173922">@thompso104</a>,</P> <P>I guess it really depends on how often you are updating the exclusion list and how fast you need that list to populate. An EDL is faster to update and is going to work fine in the majority of cases, but you better have a redundant system to service that EDL behind a load balancer to keep everything working. You wouldn't want the system servicing this list to go down and remove all of the exceptions you have created.</P> <P>I generally have both a permanent exception list configured as custom URL categories, and then an EDL configured for temporary exclusions for each organizational group. This way the permanent exclusions are directly linked in the configuration itself and I don't have to worry about the EDL servicer going down and the cache clearing, but I can still quickly add an exception when one is needed. The EDL clears each entry after 48 hours, while the custom URL listings are all considered a permanent or long-term exception.&nbsp;</P> <P>&nbsp;</P> <P>No one way is really the "correct" way and they all have some considerations to take into account. Generally though my EDL lists are actually dynamic entries that won't stick around long-term, but temporary things. That doesn't mean that anyone using an EDL for all of their decryption exclusions are wrong, it's just not how I've decided to do things. Either method works without issue, the EDL method just has some additional considerations you have to account for.&nbsp;</P> Thu, 27 Jan 2022 15:58:53 GMT BPry 2022-01-27T15:58:53Z https://live.paloaltonetworks.com/t5/general-topics/decryption-exclusion-methods/m-p/461419#M102166 <P>From what I can tell there are three methods to exclude traffic from decryption:</P><P>&nbsp;</P><P>1) Custom URL Category - Requires a Commit to the device group when adding URLs</P><P>2) SSL Decryption Exclusion List - Must be added to each Firewall template and then Commit</P><P>3) External Device List - edit text file on external server</P><P>&nbsp;</P><P>Seems to me that the EDL is the best/easiest way to quickly exclude URLs as it can be done on the fly and without a Commit.&nbsp;</P><P>&nbsp;</P><P>Please correct me if I'm missing something and also looking for how other folks are doing this.</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P> Thu, 27 Jan 2022 14:28:10 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-exclusion-methods/m-p/461419#M102166 thompso104 2022-01-27T14:28:10Z https://live.paloaltonetworks.com/t5/general-topics/decryption-exclusion-methods/m-p/461459#M102170 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/173922">@thompso104</a>,</P> <P>I guess it really depends on how often you are updating the exclusion list and how fast you need that list to populate. An EDL is faster to update and is going to work fine in the majority of cases, but you better have a redundant system to service that EDL behind a load balancer to keep everything working. You wouldn't want the system servicing this list to go down and remove all of the exceptions you have created.</P> <P>I generally have both a permanent exception list configured as custom URL categories, and then an EDL configured for temporary exclusions for each organizational group. This way the permanent exclusions are directly linked in the configuration itself and I don't have to worry about the EDL servicer going down and the cache clearing, but I can still quickly add an exception when one is needed. The EDL clears each entry after 48 hours, while the custom URL listings are all considered a permanent or long-term exception.&nbsp;</P> <P>&nbsp;</P> <P>No one way is really the "correct" way and they all have some considerations to take into account. Generally though my EDL lists are actually dynamic entries that won't stick around long-term, but temporary things. That doesn't mean that anyone using an EDL for all of their decryption exclusions are wrong, it's just not how I've decided to do things. Either method works without issue, the EDL method just has some additional considerations you have to account for.&nbsp;</P> Thu, 27 Jan 2022 15:58:53 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-exclusion-methods/m-p/461459#M102170 BPry 2022-01-27T15:58:53Z