How to bypass SSL decryption for an application

L7 Applicator

SSL decryption is a very strong tool in the hands of an administrator to protect the network and defend against malware, but some web-based applications have such a setup that decryption is not possible, or breaks the application (client certificates, exceptionally strong encryption, pinholing,...) and you need to set up a no decryption policy.


To exclude a URL category from decryption is easy enough, but what about a single application? At the time of writing, there is an outstanding Feature Request to be able to set applications to non-decrypt, so if you're looking for this particular feature, go ahead and reach out to your sales contact to add your vote to FR ID: 2946.


If you are good with a creative workaround leveraging the new log forwarding capabilities introduced in PAN-OS 8.0, community member @Ozamir was kind enough to share a workaround he put together to tackle an issue with a VPN appliance.


Please enjoy his creation and feel free to comment below, you can also find the original discussion thread here How to SSL Bypass based on application







I wanted to share a solution I have implemented recently.


Bypassing SSL Decryption based on applications was a request I had from many customers.

I know there is an FR for that, but until then, with PAN-OS 8, it is possible to achieve differently.


I had a specific scenario where one of my customers had to connect to his customer's Pulse Secure SSL VPN device (collaboration feature). 

When using SSL Decryption on his PAN NGFW, the connection was failing and he had to manualy add the IP address of his customer to a bypass rule.

When you have hundreds of customers using that solution, and you need to add their IP address manualy, it is becoming problematic.



The idea is, dynamically adding the destination address to an SSL Bypass rule.


Here is how it goes...


Create a tag - Objects --> Tags:




Create a Dynamic Address Group - Objects --> Address Groups

Add the previously created tag's name as a match

dynamic address group.png

Create a decryption rule with the new Address Group object as a destination with a 'no-decrypt' action. (pay attention to rules order)bypass rule.png

Create a Log Forwarding profile with a filter that will catch a specific application ('secure-access' for my scenario). Use Traffic as the log type.



log forwarding.png


Add a Built-in Action to tag the destination address

built-in action.png



Add the Log forwarding profile to the security rule that permitted the desired application originally.

security rule.png



Access the desired website (application), and verify the address has successfully been dynamically registered to the dynamic address group (click 'more'), and successfully SSL Bypassed.



Verify dyn address grp.png




Please share your thoughts..

L7 Applicator

@Ozamir degraded FR 2946 to 'unnecessary' ;)

Ask Questions Get Answers Join the Live Community