https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/68413#M39909 <P>Depends also for which clients you are intercepting and for which purpose.</P> <P>&nbsp;</P> <P>A more strict policy is that stuff that cannot be intercepted (or is not allowed to) will be blocked (meaning you cant visit that financial site from your workstation at work as an example).</P> <P>&nbsp;</P> <P>If you must know which sites you are "bypassing" SSL-termination for and URL-category isnt enough then create a custom URL-category where you put in your "whitelisted" sites into.</P> <P>&nbsp;</P> <P>Will take some time and effort but at the same time - how many financial sites (that is truly financial sites - not just forums where the topic is financial related) does your clients visit? And how many new lets say banks to there show up which you then need to whitelist?</P> <P>&nbsp;</P> <P>I guess you might have some work the first few days but then it will level out...</P> Fri, 20 Nov 2015 14:48:15 GMT mikand 2015-11-20T14:48:15Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/68405#M39904 <P>With SSL Decryption it is recomended that <SPAN class="_Tgc">Financial services</SPAN> &amp; Medical <SPAN class="_Tgc">category </SPAN>is not decrypted.</P> <P>My question is how do you ensure that sites that should not be decrypted are not i.e. JP Morgan is clearly a <SPAN class="_Tgc">Financial services</SPAN> and will not get decrypted.&nbsp;</P> <P>But if a user were to access a very obsecure <SPAN class="_Tgc">Financial </SPAN>Website it may be classified incorrectley as such would get decrypted, the user would not know this is happneing.</P> <P>&nbsp;</P> <P>Is there any logs in the PA that one can look at get see this type of mis-clasification.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 20 Nov 2015 09:31:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/68405#M39904 RC-BHF 2015-11-20T09:31:36Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/68412#M39908 <P>Short answer...No.</P> <P>&nbsp;</P> <P>The only way you're gonna know is if you know the site and submit it for re-categorization.</P> <P>&nbsp;</P> <P>The rationale for not intercepting finanicial is 2-fold. &nbsp;The first being PII reasons. &nbsp;The second being usually these types of sites more often than not are more prone to not working when intercepted.</P> <P>&nbsp;</P> <P>If you're intercepting a site like this and users are expereincing problems you'll know and will have the chance to re-categorize it.</P> Fri, 20 Nov 2015 14:25:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/68412#M39908 Brandon_Wertz 2015-11-20T14:25:58Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/68413#M39909 <P>Depends also for which clients you are intercepting and for which purpose.</P> <P>&nbsp;</P> <P>A more strict policy is that stuff that cannot be intercepted (or is not allowed to) will be blocked (meaning you cant visit that financial site from your workstation at work as an example).</P> <P>&nbsp;</P> <P>If you must know which sites you are "bypassing" SSL-termination for and URL-category isnt enough then create a custom URL-category where you put in your "whitelisted" sites into.</P> <P>&nbsp;</P> <P>Will take some time and effort but at the same time - how many financial sites (that is truly financial sites - not just forums where the topic is financial related) does your clients visit? And how many new lets say banks to there show up which you then need to whitelist?</P> <P>&nbsp;</P> <P>I guess you might have some work the first few days but then it will level out...</P> Fri, 20 Nov 2015 14:48:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption/m-p/68413#M39909 mikand 2015-11-20T14:48:15Z