When I stood up a Palo Alto firewall to do research for my blog post on The Dangers of Client Probing on Palo Alto Firewalls, I also found something interesting in the UI.  Under Device -> Certificate Management -> SSL Decryption Exclusion there was a list of domains that by default were exempt from SSL Inspection.  I tweeted about it, and it started some good discussion.

As a red teamer, this information can be really useful.  If you know your client uses Palo Alto firewalls, you can make some reasonable assumptions about the configuration.  A lot of mature environments are using SSL inspection to catch threats, but may not have removed the default exemptions.  A couple Palo Alto firewall users chimed in with their experience:

Barry points out that while it wasn’t always visible in the UI, Palo Alto firewalls have always maintained a list of exemptions.  Palo Alto used to publish a list of exempt applications in version 7.1 and prior before the list became visible in the UI.

Regarding the utility of these exemptions, there a number of open source Remote Access Tools (RATs) that are designed to tunnel their C&C traffic through known trusted sources. Some popular examples include Gcat/Gdog, and Twittor.

It should also be noted that the exemption list is constantly updated.  My list was pulled from a fresh 8.1.0 install, but it has been reported that this list has already changed.

Building upon this, Vincent Yiu tweeted out a list of domain frontable domains from my initial exemption list.

By pairing domain fronting with an exempt domain, potentially any HTTPS encapsulated C&C channel can avoid inspection by a PAN firewall configured with the default exemption list.