Decrypt Traffic for Full Visibility and Threat Inspection

The best practice security policy dictates that you decrypt all traffic except sensitive categories, which include Health, Finance, Government, and traffic that you don’t decrypt for business, legal, or regulatory reasons.
Use decryption exceptions only where required, and be precise to ensure that you are limiting the exception to a specific application or user based on need only:
  • If decryption breaks an important application, create an exception for the specific IP address, domain, or common name in the certificate associated with the application.
  • If a specific user needs to be excluded for regulatory or legal reasons, create an exception for just that user.
To ensure that certificates presented during SSL decryption are valid, configure the firewall to perform CRL/OCSP checks.
Best practice Decryption policy rules include a strict Decryption Profile. Before you configure SSL Forward Proxy, create a best practice Decryption Profile (ObjectsDecryption Profile) to attach to your Decryption policy rules:
  1. Configure the SSL DecryptionSSL Forward Proxy settings to block exceptions during SSL negotiation and block sessions that can’t be decrypted:
    decryption-profile-bp-append-cert-field.png
    Block sessions if resources not available prevents allowing potentially dangerous connections but may affect the user experience.
  2. Configure the SSL DecryptionSSL Protocol Settings to block use of vulnerable SSL/TLS versions (TLS 1.0 and SSLv3) and to avoid weak algorithms (MD5, RC4, and 3DES):
    decryption-profile-bp-ssl-protocol.png
    Some sites still use the TLSv1.1 protocol, but TLSv1.2 is more secure. Review the sites you need to access for business purposes. If most of them use TLSv1.2, then create separate Decryption policies and a separate Decryption profile for sites that use TLSv1.1 so that only the sites you legitimately need for business purposes can access your network using TLSv1.1.
    The same is true about the SHA1 authentication algorithm—if you can use the more security SHA256 or greater algorithm, do it. If only a few sites that you need for business purposes use SHA1, create separate Decryption policies and a separate Decryption profile for them.
  3. For traffic that you are not decrypting, configure the No Decryption settings to block encrypted sessions to sites with expired certificates or untrusted issuers:
    decryption-profile-bp-no-decrypt.png

Related Documentation