How to Exclude a Site from SSL Decryption

How to Exclude a Site from SSL Decryption

32101
Created On 09/25/18 19:10 PM - Last Modified 06/09/23 08:55 AM


Resolution


This article relates to PAN-OS 7.1 and prior, for PANB-OS 8.0 and later, please refer to this article

 

How to exclude a site from being decrypted by importing its certificate on the PAN and marking it SSL Exclude Certificate.

Steps

  1. Identify the site to decrypt (e.g. www.wellsfargo.com in the test case).
  2. Locate its certificate.  Screenshot from Chrome.

    ss1.gif

  3. Click on Certificate information and browse to Detail tab.

    ss2.gif

  4. Click Copy to File to export this certificate out.  This will launch the Certificate Export Wizard.

    ss3.gif

  5. Select Base 64 (.CER)[PEM] as per following screenshot.  Name it and save it on the PC.  (saved a abcd.cer in test case)
  6. Import this cert on the PAN: Device > Certificates > Import.  Browse for where the cert is stored on the PC and select File format as Base64 Encoded Certificate(PEM) and click OK.

    ss4.gif

  7. Once the cert is imported, click on the cert and select SSLExclude Certificate .

    ss5.gif

  8. Once this is complete, browse to the site whose cert was imported onto the PAN and check the certificate presented.  Even though this session is decrypted by the SSL Decryption policy, it shows the original issuer certificate not the cert proxied by the PAN.  Thus, showing the session was excluded from being decrypted.

 

 

Also see

List of Applications Excluded from SSL Decryption

SSL Website not working even after using excluding the Server Certificate from Decryption

 

 

owner: achitwadgi
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUjCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language