financial-services is exempt from decryption still decrypt error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

financial-services is exempt from decryption still decrypt error

Cyber Elite
Cyber Elite

PA running 8.1.9  we have rule from any source any zone do not decrypt financial-services category.

CLI  test 

 

test decryption-policy-match source 10.x.x.x  destination 23.249.200.33 category financial-services

Matched rule: 'No_Decrypt' action: no-decrypt

 

Traffic log shows decrypt error URL log shows no decrypt.

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

Hello,

I have a better understanding now. So what I would do is the following:

 

Create a security policy that allows that machine to only go to the specific web address.

Create a  decryption policy that allows all traffic sourced from the machine to bypass encryption.

 

You still know exactly where its going and what its doing.

 

Just a thought.

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

It could be because you are using an IP address instead of the URL. Check the URL against the PAN-DB URl checker.

 

https://urlfiltering.paloaltonetworks.com/

 

If its listed correctly there, then the URL should not be decrypted.

 

Regards,

on traffic log it shows category as unknown and on url filtering logs i see

 

ipg1.moneris.com/  and category as financial services

 

 

MP

Help the community: Like helpful comments and mark solutions.

Hello,

If you browse to it from a workstation, does it try to decrypt the traffic?

Regards,

PRoblem is it is ticket vending machine which uses that 

 

MP

Help the community: Like helpful comments and mark solutions.

url log shows ipg1.moneris.com/

 

i can not access this from my pc 

MP

Help the community: Like helpful comments and mark solutions.

Hello,

I have a better understanding now. So what I would do is the following:

 

Create a security policy that allows that machine to only go to the specific web address.

Create a  decryption policy that allows all traffic sourced from the machine to bypass encryption.

 

You still know exactly where its going and what its doing.

 

Just a thought.

I create the decryption security policy to exempt all the traffic to that  destination ip address.

Since then PA is not decrypting.

 

Also SSL decryption exclusion list i put *.moneris.com and it did not worked.

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 4389 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!