SSL Website Not Working After Excluding the Server Certificate from Decryption

Printer Friendly Page


Some SSL websites are not opening even after the URL has been included in ssl-exclude-cert, despite following instructions in How to Exclude a Site from SSL Decryption


The websites' failure to open holds true for implicitly excluded URLs provided by Palo Alto Networks in List of Applications Excluded from SSL Decryption


If a URL category is included in the Decryption Rules, when the traffic for a website matching that URL category hits for the first time on the device, even if that website is excluded from Decryption using SSL-Exclude-Certificate settings, the firewall will not skip decryption based on SNI (Server Name Indication) included in Client Hello Packet.


The firewall still does a forward proxy for the connection, and sends a list of Supported Cipher Suites to the server.


If the server accepts the Client Hello proposed by the firewall, and sends a Server Hello / Certificate, the firewall then inspects the Server Certificate for the Common name and matches it against the configured SSL Exclude Certificate Settings. If it matches, then Server address and TCP port are added to the exclude cache for the particular rule they match. This exclude cache is then used for future connections matching the same parameters and will cause the firewall to even skip the proxy.


In case the server does not support the Cipher Suites send (overwritten) by the firewall, the Server might send an SSL error message or just send a TCP RST to the connection.



If the firewall is sending cipher suites that are unsupported by the Server, even after including the certificate in the SSL-Exclude-Certificate settings, then perform the following steps to resolve this issue.


  1. Inside Objects > URL Category, click Add to create a new custom URL Category - ex ExcludeSSLdescryption, then add the URLs inside this category that you do not want decrypted.Screen Shot 2016-04-04 at 10.15.25 am.png

  2. Inside Policies > Decryption, Create a No-Decrypt rule above the SSL decryption rule which is being used for decrypting the rest of the traffic. Place the newly created URL Category - ExcludeSSLdescryption in the URL Category. This way, the traffic for the URL Category will be excluded from the decryption policy.Screen Shot 2016-04-04 at 10.13.44 am.png

  3. Commit this change for it to take effect.




Quick question.


For the ExcludeSSLdescryption custom URL category, does it only use the Common Name in the cert, or does it use the CN in addition to the Subject Alternative Name? (or just the SAN)?


Thank you