There are a number of Domains/SSL Certificates that are excluded from SSL Decryption.
Starting with PAN-OS 8.0 and newer, the SSL exclusion is handled inside of the Certificates section of the WebUI.
To see the full list of domains/SSL certificates that are excluded from SSL Dectyption, Inside of the WebGUI > Device > Certificate Management > SSL Decryption Exclusion.
The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device.
This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.
In PAN-OS 7.1 and older, applications were used instead of domains.
These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.
I have been trying to get the google drive app to bypass decryption fora while now, it seems that on my lab PA-200 with PANOS 8.x the custom URL category for sites to bypass decryption is completely ignored. I can verify decryption is working and the category is added however when adding *.1e100.net to the decryption bypass custom category it still tries to decrypt the traffic and the logs show decrypted "yes" which of course causes the google drive application to fail to connect. disabling decryption all together and google drive works. This seems like a bug with either byoassing decrption for custom URLs or for URLs with numbers in them? Or is this an issue with the application being identified as SSL instead of https web-browsing?
Did you add both *.1e100.net and 1e100.net?
@Evgeny_Kutumin : Im now running PAN-OS 8.0.2, and finding that Skype for Business (ms-lync) is still broken by decryption....I'm talking about an enterprise instance of this, where the associated URL is lyncweb.companyname.com.
I found a solution that worked for me, in 8.0.x, on Device Tab>Certificate Management>SSL Decryption Exclusion, add and enable exclusion for *.companyname.com
This was ALOT easier than trying to build exclusions for the long long list of FQDNs and IPs that Microsoft provides on their site.
you need to exclude lync.com for Skype for Business to work
@MaxstrHmm, must be different for different installation types- but to get my home PC to work with corporate Lync, all I had to exclude was *.companyname.com to account for the several versions of lync[x].company.com entries I am hitting. I could not find any lync.com in my logs at all, and am not excluding it, but the app works.
@Maxstr I ony did the *.1e100.net as everything I saw in the traffic log was $stuffhere.1e100.net I can try adding it without the * also and see if that makes a difference but I am thinking it is because the application is being identified as ssl instead of https
@wguensler Hope this is resolved now. If not, try excluding Internet Communications and Telephony from decryption
While I agree excluding the entire URL category from decryption should certainly solve the OP's issue, it would also allow every real-time collaboration app to send files in (unknown malware) and out (around your DLP) of your network through (in essence) an encrypted tunnel... SSL-decryption is no longer a "nice to have", it should be a much more mature feature by now IMHO...
How about windows-update now ?
Cause I have problem with windows-update when I turn on SSL Decryption. It's cannot download any patch update from Microsoft.
we only add applications that cannot be decrypted to the exclusions. If you're having issues with windows update you'll want to do some troubleshooting to figure out what's going on and possibly reach out to support for assistance
How do you add an expecific application when there is no URLs inside the log?, I.E if you check the traffic logs it's showing SSL as Application and no more info rather than a destination IP that could be changing.
It appears SSL Inspection is also breaking the ability to download/update apps from the Microsoft/Windows Store on Windows 10.
You may want to add facebook app to that list also.
To all, this list has been changed to the SSL Decryption exclusion list. and this article has been updated to reflect that.
I'm testing with Anydesk. I searched in SSL Decryption Exclusion and saw it have: AnyDesk Client and AnyNet Relay, but it seem not work when client use AnyDesk Application. AnyDesk client showed "cannot connect to anydesk network (ssl_14090086)".
So I think Exclusion with AnyDesk Client not work.
Anyone have same my issue ?
I have the same problem with Anydesk. I have solved insert a rule that "no decrypt" if the target is the anydesk ip services...
Adding the IP range of the service is the solution we used and it works.
Hi @oscaringosv and @cverniani
Could you shared me list IP of Anydesk ?
and fqdn boot-01.net.anydesk.com
it seen working.
CIO Glem Gas Spa
Hi guys, can we also have the prior exclusion list included back into this article? Some of the users are still in 7.1 and wants to have it available to them rather than referring to a 8.0 and above device.
I have updated the article to include both the Applucation list and the Domain reference. hope this helps.
My version is 8.1.2. And i have reported that anydesk default exclusion does not work . I have inserted even in the list SSL DECRYPTION EXLUSION the domain *.anydesk.com but the client continue to not connect. ...I have solved the problem with a new policy decryption with the exclusion of the follow ip
Thank you for your help.
@cverniani thanks for giving anydesk service list. bu i think there are many IP's for anydesk.
I saw it in my firewall logs..around 50 ...
afraid that I will have to add all 50 ?
i dont understand this. from my point of view this page shoule have follow the below logic:
"if the server presented certificate X exclude from decryption"
from what i understand this screen is the same as configuring SSL Decryption Bypass Rule with URL categorization with all the domains in the list.
need to exclude "*.net.anydesk.com" domain for anydesk to work