You mean if a particular threat item isnt evaluated because the traffic happens to be ssl or ssh or similar?
I guess this would be true in order to lower number of false positivies.
On the other hand there are many threats where it doesnt matter if the payload is encrypted or not.
Just to add, say for example To block facebook by application in a rule , SSL decryption needs to be configured on the PAN, so that the PAN can proxy the outbound SSL sessions and get visibility into the traffic enabling it to identify the application correctly as 'facebook' and enforce app-ID based rules.
Hence, without SSL decryption the app-id in traffic logs will appear as 'ssl' for the facebook session. Once SSL decryption is configured, the app-id in monitor logs should show as 'facebook'.
A technote on how to configure SSL decryption can be found at :
Let me know if that helps.
I think it varies by app-id signature. I've created a custom app-id that looks at the cn part of the cert. If a match is present, then the application is called "my custom app" instead of SSL. At that point, I can create a security rule that blocks "my custom app" while still permitting SSL.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!