04-12-2018 06:24 AM
Use case : Ours users go through Palo alto for internet access. Decryption feaures has been enabled.
When users try to access to internet may failed because the decryption-error.
We need a solution to automate URL SSL decryption exclusion and log urls excluded for review. Perfectly in a dynamics external list or in a custom url category. Theses dynamics objects will be in a no-decript rule.
How can i achieve it ?
Several mai cause errors : Server-error, client-error mainly aout handshake negotiation.
Existing solution :
- Use a feature in the decyption policies to bypass decryptio for decryption errors. However the decryption exclusion happen if only the server answer with a handshake errors, in the others hand we dont have a great visibility on these url exclusion for decryption.
- Use a log forwarding feaure to automate IP decryption and fill the IPs in a dynamics objects. This is not correct because we want to exclude URL and not IP of the server or the hosts.
