About pk11

‎10-10-2022

since

L3 Networker

57
Posts
7
Likes
24
Solutions
Oct 10, 2022
Last Visited

User Activity

User Profile

Re: PAN-OS 8.0 - Automatic SSL Decryption Exclusion

4259

‎02-26-2017 04:08 PM

Posts I Liked

Subject

Likes

Author

Secured SD-WAN Networks with PAN-OS Firewalls is LIVE!

2 Likes

User Badges

Community Statistics

Member Since	‎01-09-2013 08:52 AM
Date Last Visited	‎10-10-2022 02:31 PM
Posts	57

This new feature is designed to help whitelist sites that will normally NOT WORK with decryption due to technical reasons - such as pinned certs, client side authentication with certs, etc. As customers are also using their Decryption Policies and Decryption Profiles to perform decryption classification (what to decrypt), how to handle certificate errors, which cipher suites to use, etc, this feature isn't primarily used to police what should and shouldn't be decrypted. The decryption policy/profiles and URL filtering categories are all still used to perform the "what should be decrypted" policing. The logic behind this feature is to not break the user experience if the other policies are ALLOWING the user to go to the site. If they're allowed, this feature simply allows the user to go to the site without having it break as the firewall will not be able to decrypt the session due the certificate issues mentioned. Of course customers can still disable these sites and have them break as before. But many of our customers wanted the default to ALLOW the user to access the site by whitelisting as the site is a trusted and permitted site. Thanks

Likes Given To

User

Likes Count

About pk11

Re: PAN-OS 8.0 - Automatic SSL Decryption Exclusion

Secured SD-WAN Networks with PAN-OS Firewalls is LIVE!

Re: PAN-OS 8.0 - Automatic SSL Decryption Exclusion

Seattle Hardware Beta

Seattle Beta