https://live.paloaltonetworks.com/t5/general-topics/allow-traffic-after-quot-decrypt-error-quot/m-p/272413#M74911 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/25857">@Maxstr</a>&nbsp;</P><P>Depending on the actual reason you can allow specific connection (with a decryption profile), even if users then need to make a second attempt as the firewall needs the first try to add the website to an exclusion table. But there are situations (somehow bugs) where this probably isn't possible. So first I would update to 8.1.8 (=preferred release from Paloalto:&nbsp;<A href="https://live.paloaltonetworks.com/t5/Customer-Resources/Support-PAN-OS-Software-Release-Guidance/ta-p/258304" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/Customer-Resources/Support-PAN-OS-Software-Release-Guidance/ta-p/258304</A> ). If the problem then is still there you could either open a support case or use the solution proposed by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;and manually exclude the websites that generate errors - at least if you need to access these websites.</P> Sat, 22 Jun 2019 12:05:13 GMT Remo 2019-06-22T12:05:13Z https://live.paloaltonetworks.com/t5/general-topics/allow-traffic-after-quot-decrypt-error-quot/m-p/272178#M74893 <P>Is there any way to allow traffic after "decrypt-error"? I get a lot of decrypt-errors showing up in the logs when SSL decryption is enabled. Most of it is from amazonaws.com (even though I excluded it from decryption). I would rather just allow the traffic to pass, but instead it's getting denied by default, and I can't find any way to allow it instead.</P><P>&nbsp;</P><P>I'm running 8.1.5</P> Fri, 21 Jun 2019 15:04:33 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-traffic-after-quot-decrypt-error-quot/m-p/272178#M74893 Maxstr 2019-06-21T15:04:33Z https://live.paloaltonetworks.com/t5/general-topics/allow-traffic-after-quot-decrypt-error-quot/m-p/272388#M74910 <P>You can do the SSL decrypt exempt for particular website or destination address under the policies and decryption</P><P>&nbsp;</P><P>or&nbsp;</P><P>&nbsp;</P><P>Under device&nbsp;</P><P>&nbsp;</P><P>ssl decrypt exclusion you can add the particular website there which gived decrypt error.</P><P>Then your traffic to that website will not be decrypted.</P> Sat, 22 Jun 2019 02:42:38 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-traffic-after-quot-decrypt-error-quot/m-p/272388#M74910 MP18 2019-06-22T02:42:38Z https://live.paloaltonetworks.com/t5/general-topics/allow-traffic-after-quot-decrypt-error-quot/m-p/272413#M74911 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/25857">@Maxstr</a>&nbsp;</P><P>Depending on the actual reason you can allow specific connection (with a decryption profile), even if users then need to make a second attempt as the firewall needs the first try to add the website to an exclusion table. But there are situations (somehow bugs) where this probably isn't possible. So first I would update to 8.1.8 (=preferred release from Paloalto:&nbsp;<A href="https://live.paloaltonetworks.com/t5/Customer-Resources/Support-PAN-OS-Software-Release-Guidance/ta-p/258304" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/Customer-Resources/Support-PAN-OS-Software-Release-Guidance/ta-p/258304</A> ). If the problem then is still there you could either open a support case or use the solution proposed by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;and manually exclude the websites that generate errors - at least if you need to access these websites.</P> Sat, 22 Jun 2019 12:05:13 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-traffic-after-quot-decrypt-error-quot/m-p/272413#M74911 Remo 2019-06-22T12:05:13Z