We are using SSL Decryption and I only allow SSL traffic for specific URL's and categories which are excluded from SSL Decryption.
Palo Alto has it's predefined list with SSL Decryption Exclusions (Device > Certificate Management > SSL Decryption Exclusion). From time to time I go to a website and it is blocked because:
- It is predefined in the SSL Decrypt Exclusion list
- And it is not allowed by a security rule
So now I have a URL Category with a URL List and I have to add this URL manually when I want this site to work. Of course this happens for every URL in the SSL Decrypt list. Since this is the case, it would help if there was a URL Category List which I can use in a security rule which automatically contains all URL's from the SSL Decryption Exclusions list.
Is there such an object by default or a way to generate dynamically so it is always in sync?
There's nothing currently available that would give you a list of the current domains within the SSL Decryption Exclusion list to automatically allow in your security rulebase. You could probably pull that list with the API and capture the domain entries and use it to propagate your custom-url category if you were using something like MineMeld that has an API to feed the captured domains into the list.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!