Even though I am bypassing SSL Decryption for finance category but as best practice still using No Decryption profile settings, like Block sessions with expired certificates & Block sessions with untrusted issuers. It seems that after unchecking Block sessions with untrusted issuers option finance web site is working and session end reason is tcp-fin instead of decrypt-cert-validation error. However, I see this is not a good practice. I know that this might be resolved after adding Intermediate or Root certificate in PAN firewall Default Trusted Certificate Authority store but does this means I have to every time import & add third part certs of financial websites ?
top of page
All things Palo Alto Networks
Forum: Forum
bottom of page
In my personal opinion, bypassing SSL Decryption across the financial category is not a best practice. The main reason for needing bypass is to use an Application other than a browser. This carries the risk of improper detection of attack. Applications often have individual best practices that you should follow.
In other words, what you want to do is not a best practice, so it's not much different from the current situation.
Instead, you'll be happier if you care about the dns security and second url category for risk assessment.
Are you seeing this for many financial sites? There may be a few root certificates you may need to add but it shouldn't be a very large number