Decrypt Traffic for Full Visibility and Threat Inspection
The best practice security policy dictates
that you decrypt all traffic except sensitive categories, which
include Health, Finance, Government, Military, and Shopping.
Use
decryption exceptions only where required, and be precise to ensure
that you are limiting the exception to a specific application or
user based on need only:
If decryption breaks an important
application, create an exception for
the specific IP address, domain, or common name in the certificate
associated with the application.
If a specific user needs to be excluded for regulatory or
legal reasons, create an exception for just that user.
Best
practice Decryption policy rules include a strict Decryption Profile.
Before you configure SSL Forward Proxy,
create a best practice Decryption Profile (
Objects
Decryption Profile
) to attach
to your Decryption policy rules:
Configure the
SSL Decryption
SSL Forward Proxy
settings
to block exceptions during SSL negotiation and block sessions that
can’t be decrypted:
Configure the
SSL Decryption
SSL Protocol Settings
to block
use of vulnerable SSL/TLS versions (TLS 1.0 and SSLv3) and to avoid
weak algorithms (MD5, RC4, and 3DES):
For traffic that you are not decrypting, configure the
No
Decryption
settings to block encrypted sessions to sites
with expired certificates or untrusted issuers: