Hello, I wanted to share a solution I have implemented recntly. Bypassing SSL Decryption based on applications was a request I had from many customers. I know there is an FR for that. but until then, with PAN-OS 8, it is possible to achieve differently. I had a specific scenario where one of my customers had to connect to his customer's Pulse Secure SSL VPN device (collaboration feature). When using SSL Decryption on his PAN NGFW, the connection was failing and he had to manualy add the IP address of his customer to a bypass rule. when you have hundreds of customers using that solution, and you need to add their IP address manualy, it is becoming problematic. The idea is, dynamically adding the destination address to an SSL Bypass rule. Here is how it goes... Create a tag - Objects --> Tags: Create a Dynamic Address Group - Objects --> Address Groups Add the previously created tag's name as a match Create a decryption rule with the new Address Group object as a destination with a 'no-decrypt' action. (pay attention to rules order) Create a Log Forwarding profile with a filter that will catch a specific application ('secure-access' for my scenario). Use Traffic as the log type . Add a Built-in Action to tag the destination address Add the Log forwarding profile to the security rule that permitted the desired application originally. Commit Access the desired website (application), and verify the address has successfully been dynamically registered to the dynamic address group (click 'more'), and successfully SSL Bypassed. Please share your thoughts..
... View more