Decrypt Traffic for Full Visibility and Threat Inspection
The best practice security policy dictates
that you decrypt all traffic except sensitive categories, which
include Health, Finance, Government, and other traffic that you
don’t decrypt for business, legal, or regulatory reasons.
Use
decryption exceptions only where required, and be precise to ensure
that you are limiting the exception to a specific application or
user based on need only:
If decryption breaks an important
application, create an exception for the specific IP
address, domain, or common name in the certificate associated with
the application.
If a specific user needs to be excluded for regulatory, business,
or legal reasons, create an exception for just that user.
Best
practice Decryption policy rules include a strict Decryption Profile.
Before you configure SSL Forward Proxy, create a
best practice Decryption Profile (
settings
to block exceptions during TLS negotiation and block sessions that
can’t be decrypted:
Block sessions if resources not available
prevents
allowing potentially dangerous connections but may affect the user
experience.
Configure the
SSL Decryption
SSL Protocol Settings
to block
use of vulnerable SSL/TLS versions (TLSv1.0, TLSv1.1, and SSLv3)
and to avoid weak algorithms (MD5, RC4, and 3DES):
Use TLSv1.3 (the most secure protocol) when you can. Be
aware that many mobile applications use certificate pinning that
prevents decryption and causes the firewall to drop traffic, so
for that traffic, be sure to use TLSv1.2.
Review the sites
you need to access for business purposes. If any of them use TLSv1.1,
then create a separate Decryption policy and profile for those sites
so that only those sites you require for business can use the less
secure protocol.
The same is true about the SHA1 authentication
algorithm—if you can use the more secure algorithm such as SHA256
or SHA384, do it. If only a few sites that you need for business
purposes use SHA1, create a separate Decryption policy and profile for
them.
For traffic that you are not decrypting, configure the
No
Decryption
settings to block encrypted sessions to sites
with expired certificates or untrusted issuers:
Only use a No
Decryption profile for TLSv1.2 and earlier versions. Do not attach
a No Decryption profile to TLSv1.3 traffic that you don’t decrypt.
TLSv1.3 encrypts certificate information that was not encrypted
in previous versions, so the firewall cannot block sessions based
on certificate information.