- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-27-2019 12:01 PM
PA running 8.1.9 we have rule from any source any zone do not decrypt financial-services category.
CLI test
test decryption-policy-match source 10.x.x.x destination 23.249.200.33 category financial-services
Matched rule: 'No_Decrypt' action: no-decrypt
Traffic log shows decrypt error URL log shows no decrypt.
11-27-2019 01:11 PM
Hello,
I have a better understanding now. So what I would do is the following:
Create a security policy that allows that machine to only go to the specific web address.
Create a decryption policy that allows all traffic sourced from the machine to bypass encryption.
You still know exactly where its going and what its doing.
Just a thought.
11-27-2019 12:28 PM
Hello,
It could be because you are using an IP address instead of the URL. Check the URL against the PAN-DB URl checker.
https://urlfiltering.paloaltonetworks.com/
If its listed correctly there, then the URL should not be decrypted.
Regards,
11-27-2019 12:31 PM
on traffic log it shows category as unknown and on url filtering logs i see
ipg1.moneris.com/ and category as financial services
11-27-2019 12:33 PM
Hello,
If you browse to it from a workstation, does it try to decrypt the traffic?
Regards,
11-27-2019 01:07 PM
PRoblem is it is ticket vending machine which uses that
11-27-2019 01:09 PM
url log shows ipg1.moneris.com/
i can not access this from my pc
11-27-2019 01:11 PM
Hello,
I have a better understanding now. So what I would do is the following:
Create a security policy that allows that machine to only go to the specific web address.
Create a decryption policy that allows all traffic sourced from the machine to bypass encryption.
You still know exactly where its going and what its doing.
Just a thought.
11-27-2019 01:16 PM
I create the decryption security policy to exempt all the traffic to that destination ip address.
Since then PA is not decrypting.
Also SSL decryption exclusion list i put *.moneris.com and it did not worked.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!