topic Re: Site / urls you don't want to decrypt in General Topics https://live.paloaltonetworks.com/t5/general-topics/site-urls-you-don-t-want-to-decrypt/m-p/230828#M66305 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62286">@Alex_Samad</a></P><P>I like your decryption rules way more than the predefined exclusions. Thats why I disable all of them in most cases (and this has to be done again with every content update - at least for the new ones - which is a little annyoing).</P><P>At least since PAN-OS 8 we can control these predefined exclusions, but with the decryption policy I have more control for these exclusions because most of the time (in my case) the exclusion needs to be very specific and not a general one like with the exclusion list because when the exclusion is required from one computer/subnet/zone I don't care if the connection from anywhere else fails (as it is probably blocked in the security policy anyway).</P><P>Just my two cents ...</P> Fri, 14 Sep 2018 08:03:25 GMT Remo 2018-09-14T08:03:25Z Site / urls you don't want to decrypt https://live.paloaltonetworks.com/t5/general-topics/site-urls-you-don-t-want-to-decrypt/m-p/230797#M66295 <P>Hi</P><P>&nbsp;</P><P>I have a set of decrypt rules</P><P>&nbsp;</P><P>1 to no decrypt based on&nbsp;</P><P>src address</P><P>or&nbsp;</P><P>dst address</P><P>or&nbsp;</P><P>url - the usl is from custom objects / url category where I add in url's lile *.lync.com</P><P>&nbsp;</P><P>then i do my decrypt line so the above gets hit first and then the decrypt</P><P>&nbsp;</P><P>I also notice there is device / cert management / ssl decrypt exclusion &lt;&lt; which seems to be a master list of urls to no decrypt.</P><P>&nbsp;</P><P>should I be usine this list or my way above is there an advantage ?&nbsp; Not sure why I didn't start using the exclusion list from the start</P> Fri, 14 Sep 2018 01:22:02 GMT https://live.paloaltonetworks.com/t5/general-topics/site-urls-you-don-t-want-to-decrypt/m-p/230797#M66295 Alex_Samad 2018-09-14T01:22:02Z Re: Site / urls you don't want to decrypt https://live.paloaltonetworks.com/t5/general-topics/site-urls-you-don-t-want-to-decrypt/m-p/230828#M66305 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62286">@Alex_Samad</a></P><P>I like your decryption rules way more than the predefined exclusions. Thats why I disable all of them in most cases (and this has to be done again with every content update - at least for the new ones - which is a little annyoing).</P><P>At least since PAN-OS 8 we can control these predefined exclusions, but with the decryption policy I have more control for these exclusions because most of the time (in my case) the exclusion needs to be very specific and not a general one like with the exclusion list because when the exclusion is required from one computer/subnet/zone I don't care if the connection from anywhere else fails (as it is probably blocked in the security policy anyway).</P><P>Just my two cents ...</P> Fri, 14 Sep 2018 08:03:25 GMT https://live.paloaltonetworks.com/t5/general-topics/site-urls-you-don-t-want-to-decrypt/m-p/230828#M66305 Remo 2018-09-14T08:03:25Z