https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332820#M84117 <P>There are an increasing number of sites that use techniques that block SSL decryption. As an example, SSL pinning is used to block MITM attacks so it will keep you from accessing a site that uses it when SSL decrypt is enabled.&nbsp;</P><P>The PA has a large default list of excluded sites, located in Device-Certificate Management-SSL Decryption Exclusion. We've had to add a fair number of sites to this list, including a few of the Microsoft online offerings.</P><P>I would agree that you shouldn't disable decryption globally, you'll just have to keep on top of creating exclusions when needed. I think you should also review your current policies. As you say, they are pretty soft.</P> Wed, 10 Jun 2020 16:50:02 GMT rmfalconer 2020-06-10T16:50:02Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332217#M84013 <P>Hi,</P><P>&nbsp;</P><P>We are using a PaloAlto 3260 with PanOS 9.0.7. We have configured SSL decryption wich uses a certificate signed by our own Windows CA server. Each client in our environment has the Windows Root CA.</P><P>In the beginning (2 years ago) everything worked well. We could decrypt everything except everything in the category financial.</P><P>But now latest months it seems I need to add a lot of websites for no decryption because otherwise the employees can't visit the website. It is getting frustrated and I'm think about disabling SSL decryption, but maybe you guys know an answer or solution.</P><P>Thanks.</P> Mon, 08 Jun 2020 06:37:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332217#M84013 ZEBIT 2020-06-08T06:37:14Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332275#M84024 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1006">@ZEBIT</a> ,</P> <P>&nbsp;</P> <P>I would advise against disabling SSL decryption entirely.</P> <P>&nbsp;</P> <P>Instead of just adding them to the no decrypt policy try figuring out why users are experiencing issues with those sites.&nbsp;</P> <P>Are you blocking access on some of the verifications (unsupported ciphers, versions, certificate issues, ... ) ?</P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Mon, 08 Jun 2020 09:47:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332275#M84024 kiwi 2020-06-08T09:47:36Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332288#M84025 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;</P><P>I think I'm quit soft (too soft) in my policy. Here you can see screenshots of the whole policy + certficats like our partner implemented.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture3.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26136iB0CF77B537A713CD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture3.PNG" alt="Capture3.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture4.PNG" style="width: 801px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26134i0230E568D453E80A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture4.PNG" alt="Capture4.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture5.PNG" style="width: 801px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26135i687E7D70B908BD90/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture5.PNG" alt="Capture5.PNG" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture6.PNG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26133i93BCCDB70D9D7858/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture6.PNG" alt="Capture6.PNG" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture7.PNG" style="width: 956px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26137i0BDEAC345BCD59F8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture7.PNG" alt="Capture7.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 804px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26138i6A998B18959A2266/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture1.PNG" style="width: 798px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26139iFAF7AF8711633DE5/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture1.PNG" alt="Capture1.PNG" /></span></P> Mon, 08 Jun 2020 10:13:16 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332288#M84025 ZEBIT 2020-06-08T10:13:16Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332820#M84117 <P>There are an increasing number of sites that use techniques that block SSL decryption. As an example, SSL pinning is used to block MITM attacks so it will keep you from accessing a site that uses it when SSL decrypt is enabled.&nbsp;</P><P>The PA has a large default list of excluded sites, located in Device-Certificate Management-SSL Decryption Exclusion. We've had to add a fair number of sites to this list, including a few of the Microsoft online offerings.</P><P>I would agree that you shouldn't disable decryption globally, you'll just have to keep on top of creating exclusions when needed. I think you should also review your current policies. As you say, they are pretty soft.</P> Wed, 10 Jun 2020 16:50:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-every-day-more-exclusions/m-p/332820#M84117 rmfalconer 2020-06-10T16:50:02Z