Decrypt Traffic for Full Visibility and Threat Inspection
The best practice security policy dictates
that you decrypt all traffic except sensitive categories, which
include Health, Finance, Government, and traffic that you don’t
decrypt for business, legal, or regulatory reasons.
exceptions only where required, and be precise to ensure that you
are limiting the exception to a specific application or user based
on need only:
If decryption breaks an important application, create an exception for the specific IP
address, domain, or common name in the certificate associated with
If a specific user needs to be excluded for regulatory or
legal reasons, create an exception for just that user.
practice Decryption policy rules include a strict Decryption Profile.
Before you configure SSL Forward Proxy, create a
best practice Decryption Profile (
) to attach
to your Decryption policy rules:
SSL Forward Proxy
to block exceptions during SSL negotiation and block sessions that
can’t be decrypted:
Block sessions if resources not available
allowing potentially dangerous connections but may affect the user
SSL Protocol Settings
use of vulnerable SSL/TLS versions (TLS 1.0 and SSLv3) and to avoid weak
algorithms (MD5, RC4, and 3DES):
Some sites still use the TLSv1.1 protocol, but TLSv1.2
is more secure. Review the sites you need to access for business
purposes. If most of them use TLSv1.2, then create separate Decryption
policies and a separate Decryption profile for sites that use TLSv1.1
so that only the sites you legitimately need for business purposes
can access your network using TLSv1.1.
The same is true about
the SHA1 authentication algorithm—if you can use the more security
SHA256 or greater algorithm, do it. If only a few sites that you
need for business purposes use SHA1, create separate Decryption
policies and a separate Decryption profile for them.
For traffic that you are not decrypting, configure the
settings to block encrypted sessions to sites
with expired certificates or untrusted issuers: