Configuration Articles

Announcements
Customer Notice: we are currently experiencing login issues with Live. We are working to resolve this as quickly as possible. Thanks for your patience.

List of Applications Excluded from SSL Decryption

by nrice on ‎04-23-2010 01:38 PM - edited Monday by (125,653 Views)

The following applications currently cannot be decrypted by the Palo Alto Networks device.
If SSL decryption is enabled for any of the following applications, the SSL decrypt engine will fail to decrypt these applications and therefore the session will be dropped by the device.

These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.

 

# Application
1 adobe-echosign
2 aerofs
3 aim
4 airdroid
5 amazon-aws-console
6 anydesk
7 appguru
8 apple-game-center
9 apple-push-notifications
10 asana
11 authentic8-silo
12 bluejeans
13 cryptocat
14 daum-mypeople
15 discord
16 dnf
17 efolder
18 evault
19 filesanywhere
20 finch
21 google-plus-posting
22 gotoassist
23 gotomeeting
24 gotomypc
25 hbo
26 hp-virtual-rooms
27 icloud
28 informatica-cloud
29 itunes
30 itunes-appstore
31 itunes-mediastore
32 itwin
33 jungledisk
34 kakaotalk
35 kakaotalk-audio-chat
36 kakaotalk-file-transfer
37 lantern
38 linkedin
39 live-mesh
40 logentries
41 logmein
42 logmeinrescue
43 meerkat
44 megachat
45 metatrader
46 minecraft
47 ms-lync-online
48 ms-product-activation
49 ms-spynet
50 ms-update
51 naver-line
52 norton-zone
53 ntr-support
54 odrive
55 office-on-demand
56 okta
57 onepagecrm
58 onlive
59 opera-vpn
60 packetix-vpn
61 paloalto-wildfire-cloud
62 pando
63 pathview
64 periscope
65 proofhq
66 puffin
67 rift
68 second-life
69 signal
70 silent-circle
71 simplify
72 sophos-rms
73 springcm
74 sugarsync
75 telex
76 tigertext
77 ubuntu-one
78 ultrasurf
79 vagrant
80 via3
81 vmware-view
82 vudu
83 wallcooler-vpn
84 webroot-secureanywhere
85 wetransfer
86 whatsapp
87 winamax
88 wiredrive
89 yunpan360-file-transfer
90 yuuguu
91 zoom
92 zumodrive
Comments
by nrice
on ‎05-16-2010 03:38 PM

Open a case with your support provider if you have a site that should be added to the list.

by sunilsadanandan
on ‎07-28-2011 06:07 AM

Hi,

Is there a reason why these sites cannot be decrypted ?

Regards,

Sunil

by nrice
on ‎07-28-2011 01:47 PM

Generally they can't be decrypted  because they deviate from SSL encryption standards.  They may use proprietary encryption, require a specific type of certificate or be unable to add new certificate authorities.  Decryption would break them so that they no longer work.  This list can't be manipulated to force decryption. 

by essnet
on ‎02-21-2012 08:23 AM

Question : do you first check for SSL certificate validity ?

Imagine a hacker creates a self signed certicate for *.dropbox.com or *.gotomeeting.com or any application listed below.

Since you don't decrypt it, he would be able to tunnel anything he wants.

by AndreasB
on ‎05-16-2012 04:49 PM

I stumbled over this entry by accident and I must admit that I'm surprised to see yet another "undocumented" default action from Palo Alto.

If I define a policy to decrypt all SSL traffic I expect the device to do what I specify. I fully understand that this could break certain applications, but as a security admin I expect to be in full control without a device changing the policy I define.

Is there a way to override this so that the device decrypts all SSL traffic without any default exceptions which I prefer to define myself?

by kfindlen
on ‎05-21-2012 10:41 AM

When you define the SSL decryption policy enable the "Block sessions that can not be decrypted" option.  This will cause the firewall to block the session if either the certificate matches the exclude list, or the firewall is unable to decrypt the session for another reason.

by essnet
on ‎05-21-2012 01:20 PM

kfindlen , I would not bet on that as I know Dropbox will pass even I enable Block if cannot decrypt.

by EdwinD
on ‎08-16-2012 03:29 PM

As of 4.1.7, I'm still seeing decryption issues with Dropbox and AOL AIM.   Is there something I have to do to enable this list?

I currently have Dropbox's netblock set to not decrypt ( http://whois.arin.net/rest/net/NET-199-47-216-0-1/pft ) but I haven't figured out bos.oscar.aol.com since it doesn't have an A record yet I can clearly see this in the Pidgin logs.

by essnet
on ‎08-17-2012 07:09 AM

You can put *.dropbox.com in a URL category and then disable Decryption on that new category

by EdwinD
on ‎08-17-2012 02:02 PM

I think what is throwing me off here is the log file.   In the Monitor/Traffic I see the dropbox traffic as allowed.   However, that is allowed through a higher rule that is my executable file blocking to sites in the unknown category.

If I pull up the details on that log, there is an addition deny log entry from a rule further down which is blocking the category of personal storage.

I must be doing something wrong on my traffic view.  How do I see all the logs, including the deny?  I do have logging set to "Start" and "End" on both of these rules.

by EdwinD
on ‎09-25-2012 03:22 PM

For FedEx Shipment Manager to work, the following should be removed from Decryption:

199.81.196.22

199.81.196.27

199.81.197.140

199.81.197.170

199.81.216.140

199.81.217.140

Reference: FedEx Ship Manager Software - Astaro User Bulletin Board

by AndreasB
on ‎09-25-2012 04:54 PM

Anyone still having problems with Google Chrome?

According to the 4.1.8 release notes PA fixed the problem but I still can't use the Chrome Omnibox for Google searches.

Typing a search item redirects to

https://www.google.ch for me and I get a Certificate Error.

Status: timed-out

Clicking the lock icon shows everything as OK, the PA CA is trusted by my browser. I also disabled SPDY and used the command line switch to use the system SSL.

Even specifying *.google.com and *.google.ch in a rule to exclude SSL decryption didn't help.

I'm also getting the same error message now with the latest Firefox.

Currently the only way for a Google search is to use IE with an URL like http://www.google.com

by essnet
on ‎09-26-2012 01:35 AM

Hello,

Don't use SSL Decryption against Google services (it's been creating problems for months, especially with .country version) , you need to wait for PA to implement missing SSL features for that.

Just bypass decryption for all google ranges: ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16

by jcheuvront
on ‎10-26-2012 09:34 AM

What is the status for a fix for this? Disabling decryption for google services/sites is a no go for companies that have regulatory needs for decryption to stay within regulatory compliance. Is there a way to create a rule such as (if useragent = chrome and spdy = true then do not decrypt)? I am very new to PAN so I am not sure if that is even possible.  At least we can get to most sites and just not decrypt sites that have implemented spdy.

by essnet
on ‎10-26-2012 11:31 AM

Hello,

The fix is being handled as a feature request, don't expect it happen very soon. I am pushing for it as a customer but it's true that they need enough time to develop a rock-solid enhancement in their SSL stack.

by EdwinD
on ‎10-26-2012 01:54 PM

Way back in the day when HTTP/1.1 just began to be utilized, I had an option in my eSafe gateway where I could disable HTTP/1.1.  The eSafe box would tell the browser the server was just HTTP/1.0.  They did this until they had time to build code for inspecting the GZIP, COMPRESS, and DEFLATE capabilities of HTTP/1.1.

I want to add my voice to the mix.   We really need to see Palo Alto step up to the plate and address this traffic.   Decryption was a big selling point.  I would be happy if I had a check box on my Palo Alto where I can disable SPDY alltogether and then the Palo Alto modify the servers ServerHello response to remove the spdy/2 response

This is an important feature for me. 

by jcheuvront
on ‎10-26-2012 01:57 PM

I agree with EdwinD that would be a great option and it is a must for me as well since our corporate standard is Chrome.

by EdwinD
on ‎10-29-2012 12:43 PM

Another that needs excluded from SSL Decryption by default is https://softwareupdate.vmware.com/cds

Without excluding this, VMWare products fail to check for updates and fail to notify users that security updates exist.  A manual check will result in "Disconnected - A certificate error occurred for the update server."

This should be excluded from everyone's SSL decryption as otherwise it presents a silent security vulnerability into a network.

by amansour
on ‎03-04-2013 11:46 AM

Is there a property on the apps that defines whether or not it is decryptable? better to work with decrypting specific apps instead of writing exceptions to a blanket rule.

by Jeff_K
on ‎03-20-2013 12:43 PM

Come on, this built in "SSL engine pass through" is ridiculous beyond belief.  I can understand publishing a list of troubled apps and their associated sites but to force this pass-through is just wrong and needs to be fixed.

by ericgearhart
on ‎03-20-2013 12:53 PM

I'm on the side of PA on this one... if the SSL implementation is not known (because it's somewhat proprietary) and therefore the traffic can't be decrypted, then how do you propose PA "fixes" this other than deliberately passing through this traffic? We do SSL decrypt (not with PA devices but with a different device) and we've always had to make exceptions such as the one described in this post because of funky SSL implementation.

by azwicker
on ‎03-21-2013 03:07 AM

We have a squid server behind our pa fw like this:

Client <-> PA FW <-> Squid Proxy <-> ASA FW <-> Internet

Decryption of site https://addons.mozilla.org adds the IP address of our squid proxy to the exclude-cache list and all following ssl connection are not decrypted anymore. Is this expected behaviour?

by Jeff_K
on ‎03-21-2013 07:35 AM

I'm not decrying the fact that certain SSL sessions break when decrypted and that they need to be excluded from the decryption process if we must have them work.

We want visibility to everything so we have a default decryption policy that blocks the traffic if decryption fails.  If a site/app breaks because of decryption, we assess the risk and decide if we wish to exclude it from decryption in a policy. 

What confounds is that this 'feature' circumvents the configured decryption policies,.. we have not decided to let that list of sites pass through.  This means I must know exactly what is in the exclusion list and add a security rule to block those sites that we have not deemed permissible.

by ericgearhart
on ‎03-21-2013 08:53 AM

Ahh! That makes sense. That's definitely a reasonable reason to complain about this list then :smileyhappy:

by ericgearhart
on ‎03-21-2013 09:37 AM

azwicker - honestly a question like this would be a candidate for its own thread, in the Discussion Forum, not as a comment on a document

by AndreasB
on ‎07-03-2013 07:56 AM

Is anybody else having problems decrypting Juniper SSL VPN traffic?

It is not on the list but the list is old.

BTW, I'm still convinced that Palo Alto should give us control over bypassing decryption for broken sites and don't let the traffic pass through undecrypted.for some obscure list of sites.

by john.langford@aplp.net
on ‎07-03-2013 08:58 AM

AndreasB - You do have the control to bypass decryption with an SSL decryption policy. If you have not set one up you will need to as there are always randoms sites that can't be decrypted properly. You just specify the addreses in the destination address policy and use action no-decrypt before the decrypt policy line entry.

by AndreasB
on ‎07-03-2013 11:44 AM

Hi John,

the problem is that there apparently is a list of sites/applications (does it still exist in 5.0.x?) which are not decrypted by default and this is a built in feature not under the control of the security administrator.

I'm perfectly fine with the fact that some sites/applications don't follow the standards and can't be decrypted, but this must be controlled by the admin, not by the vendor.

by drogers
on ‎07-03-2013 03:32 PM

If your firewall policy is configured to allow app XYZ and attempting to decrypt it would break XYZ, then the firewall would no longer be allowing the app you intended to allow. 

If you feel that a specific app should not be allowed because it does not work with SSL decryption, then you can create a firewall policy to block that application.

by Jeff_K
on ‎07-04-2013 05:58 AM

The issue is we don't know at any given time what applications the vendor has excluded from decryption.  Without this information we cannot properly maintain the policies in our firewall.

by mbrownnyc
on ‎02-04-2015 07:28 AM

*.robtex.com

robtex.com

by EdwinD
on ‎02-04-2015 03:07 PM

If we check out Watchguards document we have a clear explanation of why certain traffic cant flow through the Palo Alto decryption. 

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/proxies/https/https_prox...

Basically, while DropBox.com in IE may be fine when decrypted by the Proxy CA, the DropBox app itself doesn't work.  The app validates the authenticity of the signing certificate authority whereas IE is using the system certificate store. 

One can't simply setup an IP or IP range to address this as one would in the old days because DropBox is hosted in the Amazon Cloud.  Some of it uses SNI.  One would be whitelisting an enormous amount of other websites if one took this approach.

This is going to become more and more of a problem as vendors attempt to thwart MTM Proxy CAs.

I suggest that this list in DOC 1423 be a tab within PanOS.  As Palo Alto updates this list of applications, the relevant tab is updated.   As a user, I have the ability to put a check box next to an entry which allows me to decrypt and thus break individual apps.   This could be because I have an enterprise policy blocking everyone from second-life.

The other reason this needs to be more visible is because I have ancient PanOS 4.0 rules in place to address gotomeeting decryption issues.   Palo Alto updated this list and I had no idea.  At this point I could remove or disable my complex decryption rules which prevented gotomeeting from being decrypted.

by drogers
on ‎02-04-2015 05:12 PM

I'm sure PLM is looking at this, however as things stand right now you shouldn't be *relying* on SSL decrypt to 'break individual apps'.  Your best bet with the current feature set is to use AppID and firewall rules to block applications you don't want to allow, and use SSL decryption to decrypt things that you want a deeper look at.

Look at it this way, before an application can even hit the decrypt policy, a firewall rule has been put in place that allows it.  Having a separate feature (in this case SSL decryption) break/block an application that you've explicitly allowed is sub-optimal.  Fortunately if you want to block it yourself, you still can.

Also, you'll note the list above does not have Dropbox on it - I'm not sure where that came in to the question, but Dropbox traffic through a browser can be decrypted by a Palo Alto NGFW just fine, so we do that.   

by Jeff_K
on ‎04-17-2015 07:49 AM

It is very misleading for Palo Alto to say this is a list of applications that are excluded from decryption.  Try creating your own exclusion decryption policy based on what the application is... it isn't possible.  The Content load exclusion list is actually a list of IP addresses.  When an encrypted session is initiated to an IP address in this list, irrespective of the application, the session will circumvent the configured decryption policies.

by EdwinD
on ‎05-04-2015 01:01 PM

Dropbox was mentioned because Dropbox is a perfect example.   The app doesn't work when decrypted by PanOS.  The details are right on Dropbox at this link: https://blogs.dropbox.com/dropbox/2014/06/weve-got-your-back/

Another post about this is here:  https://groups.google.com/forum/#!msg/httpfiddler/1A8Aks8ymPY/ZalTbWW0DV4J

While in this case I am talking about an App and not a website, websites can pin too.   I'm very curious how Palo Alto Networks is going to handle websites using certificate public key pinning and TLS_FALLBACK_SCSV.   I'm already running into websites that use these technologies and thus will not even connect through the Palo Alto Networks firewall with decryption enabled.   It seems to me that as these two technologies become more common place, there will be no way to decrypt many websites.

by EdwinD
on ‎06-24-2015 07:47 AM

As Microsoft is doing with Windows Updates, Symantec is pinning their private signing certificate into their products.   SEPM Antivirus has pinned certificates within the product. 

Decryption of the following websites causes this pinning to detect Palo Alto Networks SSL decryption and the related functionality fails.

I suggest Palo Alto Networks add these specific hosts to their List of Applications Excluded from SSL Decryption.

References:

by TheDave
on ‎07-29-2015 05:13 PM

Any chance of additional applications being updated or is there any other recommended guidance to deal with applications that utilize certificate pinning?  I've had to exclude the following domains for some applications to work properly and I'd rather not play whack a mole with domains and applications:

adobe.com - Creative Cloud and various components of it don't like being decrypted

*.adobe.com

adobe.io

*.adobe.io

ims-na1.adobelogin.com

scproxy-prod.adobecc.com

adobesc.com

*adobesc.com

*.mozilla.org - Firefox in particular doesn't like to access developers.mozilla.org or several other subdomains

*.google.com - google drive will not function unless you disable decryption on several google domains, unless you run a command switch for it to not care about certificates

google.com

*.gstatic.com

gstatic.com

appcelerator.com

*.appcelerator.com

*.apple.com - Software updates for iOS and OS updates for beta users of OS's was problematic until we added this to the bypass list

apple.com

by max.strzelecki
‎09-28-2015 01:13 PM - edited ‎09-28-2015 01:21 PM

Great list TheDave, thanks. Here are some additional sites that recently started using HPKP:

 

*.youtube.com (along with all other Google properties, like you mentioned)
*.outlook.com
*.bing.com
*.yahoo.com
*.twitter.com
*.wikipedia.org

*.reddit.com

 

This list will only get longer and longer, until there is nothing left to decrypt. I hope Palo Alto will come up with a solution besides whitelisting everything

by parichie
on ‎10-15-2015 02:04 PM

Please add the following *.join.me and spideraok

by Evgeny_Kutumin
on ‎11-10-2015 02:55 AM - last edited on ‎03-31-2016 12:37 AM by

Hi all,

 

we've just found that the latets ms-lync (skype for business) is also failing if we enable ssl decryption.

 

Please refer: 

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Exclude-a-URL-from-SSL-Decryption...

 

Hope it will be solved someday.

 

regards,

Evgeny.

by indup089
on ‎04-19-2016 01:08 AM

Hi,

 

has anyone infos about MS OneDrive cannot currently decrypted and is therefore built-in excluded?

This application is currently not listed in the exclude list above.

 

regards,

Uli 

by craymond
on ‎04-19-2016 07:09 AM

Decryption is becomming. Every week we are adding 1 or 2 more sites that won't work with decryption turned on. We are up to 93 sites that can't be decrypted.

by mmmccorkle
‎05-24-2016 03:13 PM - edited ‎05-24-2016 03:14 PM

It appears that origin is not fully bypassing the decryption process. The chat portion of the origin client never loads when decryption is turned on.

 

Is anyone else seeing this ?

 

I'll be grabbing a flow basic on the traffic to verify what is going on. 

by jelkadri
on ‎06-14-2016 10:51 AM

Hi,

 

Can anyone tell me if i'll still be able to get granular with twitter on mobile devices if it's being excluded from ssl decryption. Basically i want to allow reading of posts but not posting?

 

Thanks

by NickThen
on ‎07-08-2016 08:49 AM

Seems that there is still no fix for ms-lync-online.  We had to get around it by a exclusion of lync.com & *.lync.com.  Will these be added to the exclude list the future?

by PeitschenAugustmitderZippelmütz
on ‎11-29-2016 09:28 AM

It seems that the list above is not maintained anymore? What about Signal, dropbox and so on?

by
on ‎11-30-2016 03:01 AM

I've updated the list and added signal, dropbox however is not in the list

by jadecker
‎12-12-2016 08:30 AM - edited ‎12-12-2016 08:30 AM

We have run into a problem with Citrix's GoToMeeting/GoToWebinar/GoToAssist/FastSupport. It started on Nov. 30, 2016. 

 

When adding a PC to a list that excludes it from a decryption policy the applications listed above will work. When that PC is removed from the exclusion and is having it's traffic decrypted then none of the applications work.

 

We have added the URLs listed in the link below to a custom URL category to exclude them from the decryption process.

 http://support.citrixonline.com/en_us/meeting/all_files/G2M060010

 

After excluding the URLs from the decryption policies the issue is still present. We have opened a support case with PAN support and are waiting for a callback.

 

Has anyone run into this issue?

by wguensler
on ‎01-06-2017 12:25 PM

I've also seen the issue with GoToMeeting. Definitely needs to be excluded.

 

Cisco Spark is also using certificate pinning. The app forcably exits with a certificate warning on launch. It absolutely needs to be excluded as well.

by
on ‎01-09-2017 12:47 AM

Hi @wguensler

 

Please report this issue through a support case so TAC can investigate and appropriate actions can be taken, thanks! :)

 

Register now
Ask Questions Get Answers Join the Live Community