https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/435642#M96114 <P>Hi</P> <P>We have SSL decryption enabled on our PA NGFWs but our users have reported issues relating to online payment transactions. We have worked around this by creating a whitelist to bypass decryption but as more sites offer payment facilities online, it will eventually become unfeasible to maintain a bypass list. What is Palo's approach to dealing with this? Are other organizations facing the same issue and how are they dealing with it?&nbsp;</P> Wed, 22 Sep 2021 01:17:02 GMT Joe_Ng 2021-09-22T01:17:02Z https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/435642#M96114 <P>Hi</P> <P>We have SSL decryption enabled on our PA NGFWs but our users have reported issues relating to online payment transactions. We have worked around this by creating a whitelist to bypass decryption but as more sites offer payment facilities online, it will eventually become unfeasible to maintain a bypass list. What is Palo's approach to dealing with this? Are other organizations facing the same issue and how are they dealing with it?&nbsp;</P> Wed, 22 Sep 2021 01:17:02 GMT https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/435642#M96114 Joe_Ng 2021-09-22T01:17:02Z https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/435780#M96115 <P>Thank you for your post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/188998">@Joe_Ng</a>&nbsp;</P> <P>&nbsp;</P> <P>Palo Alto's recommendation is to exclude whole URL category:&nbsp;"financial-services"&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-exclusions/create-a-policy-based-decryption-exclusion.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-exclusions/create-a-policy-based-decryption-exclusion.html</A>&nbsp;This should cover sites that you get redirected to for online payments.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Wed, 22 Sep 2021 12:54:44 GMT https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/435780#M96115 PavelK 2021-09-22T12:54:44Z https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/436052#M96226 <P>Hi</P><P>&nbsp;</P><P>Thank you for your response. The URL category 'financial services' has already been included in a non-decrypt policy before the decrypt all policy. I suspect some sites may be running these services behind URLs that may be not be categorized under financial services.&nbsp;</P> Thu, 23 Sep 2021 00:36:36 GMT https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/436052#M96226 Joe_Ng 2021-09-23T00:36:36Z https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/436370#M96259 <P>Thank you for reply&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/188998">@Joe_Ng</a>&nbsp;</P><P>&nbsp;</P><P>I see. If you believe there is a URL mis-categorization, you can submit a request from this link:&nbsp;<A href="https://urlfiltering.paloaltonetworks.com/" target="_blank">https://urlfiltering.paloaltonetworks.com/</A></P><P>Other than what you are already doing with a manual whitelist, I can't think of any better way to avoid the issue you reported.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Fri, 24 Sep 2021 04:59:13 GMT https://live.paloaltonetworks.com/t5/general-topics/online-payment-with-ssl-decryption/m-p/436370#M96259 PavelK 2021-09-24T04:59:13Z