SSL No-Decrypt issues

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL No-Decrypt issues

L0 Member


I'm testing on two different versions of PAN-OS (11.0 and 11.1).  There's a couple of issues I'm noticing with decryption/no-decryption.  I have a profile setup for no-decrypt in which healthcare-and-medicine is a category that isn't supposed to be decrypted.  What I've noticed is that when HTTP/2 decryption is enabled, sometimes the firewall decrypts healthcare-and-medicine based websites (application shows as web-browsing and decrypted = yes).  Often times after the initial connection (letting the browser TLS sessions time-out) then the same destination IP's will show as ssl and decrypted = no.

If I then turn off HTTP/2 inspection via "Strip ALPN", all the websites will always be catagorized as ssl and decrypted = no (as I would expect).  Am I missing something with the way the firewall handles HTTP/2 and decryption exclusions?

The second issue I'm running into is platform dependent in which 11.0 (when decryption is excluded) will have a corresponding URL match from the SNI extension in the TLS handshake.  On version 11.1, this appears to be broken and it's not pulling the SNI or common name from the cert and therefore there is no accompanying URL entry and thus security policies are hit differently because of the lack of URL catagorization.


Anyone have any insight on these two issues?


Thank you!




L0 Member

We have tried and tried and tried with no-decrypt and it's flapping back and forth.  I've went so far as to strip the firewall down to one NAT rule, two policy rules and two decryption rules.


When there's a category specified in the no-decrypt rule (which is above the decrypt rule), we are seeing behavior where traffic to those sites is sometimes decrypted, other times it's not.  We cannot get a successful test of ensuring decryption is not happening on sensitive categories.  I think these things are broken.

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!