List of Domains and Applications Excluded from SSL Decryption

Printer Friendly Page

Domains

There are a number of Domains/SSL Certificates that are excluded from SSL Decryption. 

 

Starting with PAN-OS 8.0 and newer, the SSL exclusion is handled inside of the Certificates section of the WebUI. 

To see the full list of domains/SSL certificates that are excluded from SSL Dectyption, Inside of the WebGUI > Device > Certificate Management > SSL Decryption Exclusion.

2018-07-20_ssl-cert-exlusion.png

 

The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device.


This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.

 

Applications

In PAN-OS 7.1 and older, applications were used instead of domains.

 

These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.

#
Application
1 adobe-echosign
2 aerofs
3 aim
4 airdroid
5 amazon-aws-console
6 anydesk
7 appguru
8 apple-game-center
9 apple-push-notifications
10 asana
11 authentic8-silo
12 bluejeans
13 cryptocat
14 daum-mypeople
15 discord
16 dnf
17 efolder
18 evault
19 filesanywhere
20 finch
21 google-plus-posting
22 gotoassist
23 gotomeeting
24 gotomypc
25 hbo
26 hp-virtual-rooms
27 icloud
28 informatica-cloud
29 itunes
30 itunes-appstore
31 itunes-mediastore
32 itwin
33 jungledisk
34 kakaotalk
35 kakaotalk-audio-chat
36 kakaotalk-file-transfer
37 lantern
38 linkedin
39 live-mesh
40 logentries
41 logmein
42 logmeinrescue
43 meerkat
44 megachat
45 metatrader
46 minecraft
47 ms-lync-online
48 ms-product-activation
49 ms-spynet
50 ms-update
51 naver-line
52 norton-zone
53 ntr-support
54 odrive
55 office-on-demand
56 okta
57 onepagecrm
58 onlive
59 opera-vpn
60 packetix-vpn
61 paloalto-wildfire-cloud
62 pando
63 pathview
64 periscope
65 proofhq
66 puffin
67 rift
68 second-life
69 signal
70 silent-circle
71 simplify
72 sophos-rms
73 springcm
74 sugarsync
75 telex
76 tigertext
77 ubuntu-one
78 ultrasurf
79 vagrant
80 via3
81 vmware-view
82 vudu
83 wallcooler-vpn
84 webroot-secureanywhere
85 wetransfer
86 whatsapp
87 winamax
88 wiredrive
89 yunpan360-file-transfer
90 yuuguu
91 zoom
92 zumodrive
Comments

I have been trying to get the google drive app to bypass decryption fora while now, it seems that on my lab PA-200 with PANOS 8.x the custom URL category for sites to bypass decryption is completely ignored. I can verify decryption is working and the category is added however when adding *.1e100.net to the decryption bypass custom category it still tries to decrypt the traffic and the logs show decrypted "yes" which of course causes the google drive application to fail to connect. disabling decryption all together and google drive works. This seems like a bug with either byoassing decrption for custom URLs or for URLs with numbers in them? Or is this an issue with the application being identified as SSL instead of https web-browsing?

Did you add both *.1e100.net and 1e100.net?

@Evgeny_Kutumin : Im now running PAN-OS 8.0.2, and finding that Skype for Business (ms-lync) is still broken by decryption....I'm talking about an enterprise instance of this, where the associated URL is lyncweb.companyname.com. 

 

I found a solution that worked for me, in 8.0.x, on Device Tab>Certificate Management>SSL Decryption Exclusion, add and enable exclusion for   *.companyname.com

 

This was ALOT easier than trying to build exclusions for the long long list of FQDNs and IPs that Microsoft provides on their site.

 

 

you need to exclude lync.com for Skype for Business to work

@MaxstrHmm, must be different for different installation types- but to get my home PC to work with corporate Lync, all I had to exclude was *.companyname.com to account for the several versions of lync[x].company.com entries I am hitting. I could not find any lync.com in my logs at all, and am not excluding it, but the app works. 

@Maxstr I ony did the *.1e100.net as everything I saw in the traffic log was $stuffhere.1e100.net I can try adding it without the * also and see if that makes a difference but I am thinking it is because the application is being identified as ssl instead of https 

@wguensler Hope this is resolved now. If not, try excluding Internet Communications and Telephony from decryption

While I agree excluding the entire URL category from decryption should certainly solve the OP's issue, it would also allow every real-time collaboration app to send files in (unknown malware) and out (around your DLP) of your network through (in essence) an encrypted tunnel...  SSL-decryption is no longer a "nice to have", it should be a much more mature feature by now IMHO...

Hi,

 

How about windows-update now ?

Cause I have problem with windows-update when I turn on SSL Decryption. It's cannot download any patch update from Microsoft.

 

Thank you.

Hi @TranTienDat

 

we only add applications that cannot be decrypted to the exclusions. If you're having issues with windows update you'll want to do some troubleshooting to figure out what's going on and possibly reach out to support for assistance

How do you add an expecific application when there is no URLs inside the log?, I.E if you check the traffic logs it's showing SSL as Application and no more info rather than a destination IP that could be changing. 

It appears SSL Inspection is also breaking the ability to download/update apps from the Microsoft/Windows Store on Windows 10.

 
 

You may want to add facebook app to that list also.

To all, this list has been changed to the SSL Decryption exclusion list. and this article has been updated to reflect that.

I'm testing with Anydesk. I searched in SSL Decryption Exclusion and saw it have: AnyDesk Client and AnyNet Relay, but it seem not work when client use AnyDesk Application. AnyDesk client showed "cannot connect to anydesk network (ssl_14090086)".

So I think Exclusion with AnyDesk Client not work.

Anyone have same my issue ?

 

Thanks,

dat

I have the same problem with Anydesk.  I have solved insert a rule that "no decrypt" if the target  is the anydesk  ip services...

 

 

Adding the IP range of the service is the solution we used and it works.

Hi @oscaringosv and @cverniani

 

Could you shared me list IP of Anydesk ?

 

Thanks,

dat

I use:

 

5.9.58.236

176.9.17.73

85.25.103.30

and fqdn boot-01.net.anydesk.com

 

it seen working.

you welcome 

Claudio Verniani 

CIO Glem Gas Spa

 Hi guys, can we also have the prior exclusion list included back into this article? Some of the users are still in 7.1 and wants to have it available to them rather than referring to a 8.0 and above device.

 

-Norman

@Norman-Wong

I have updated the article to include both the Applucation list and the Domain reference. hope this helps.

My version is 8.1.2. And i have reported that anydesk default exclusion does not work . I have inserted even in the list SSL DECRYPTION EXLUSION the domain *.anydesk.com but the client continue to not  connect. ...

I have solved the problem with a new policy decryption with the exclusion of the follow ip

 

5.9.58.236

176.9.17.73

85.25.103.30

and fqdn boot-01.net.anydesk.com

 

Best Regards

 

 

Claudio Verniani

CIO Glem Gas Spa

Hi @cverniani,

 

Thank you for your help.

 

Best Regards,

dat

@cverniani thanks for giving anydesk service list. bu i think there are many IP's for anydesk. 

I saw it in my firewall logs..around 50 ...

afraid that I will have to add all 50 ?

i dont understand this. from my point of view this page shoule have follow the below logic:

"if the server presented certificate X exclude from decryption"

from what i understand this screen is the same as configuring SSL Decryption Bypass Rule with URL categorization with all the domains in the list.

need to exclude "*.net.anydesk.com" domain for anydesk to work

 

https://support.anydesk.com/Firewall