) for commonly used sites that
break decryption because of technical reasons. You can remove predefined
sites from the list by clicking the checkbox next to the site hostname
and then clicking
, and you can add sites to the list.
Use the Decryption Exclusion list only for sites that break decryption
for technical reasons, don’t use it for sites that you choose not
to decrypt. If decryption breaks an important application, add it to the Decryption Exclusion list to
create an exception for the specific IP address, domain, or common
name in the certificate associated with the application. Some internal
custom applications may break if you decrypt them.
If the technical reason for excluding a site from decryption
is an incomplete certificate chain, the next-generation firewall
doesn’t automatically fix the chain like a browser. If you need
to add a site to the SSL Decryption Exclusion list, manually review
the site to ensure it’s a legitimate business site, then download
the missing sub-CA certificates and load and deploy them onto the firewall.
You may choose not to decrypt traffic for reasons such as regulations
and legal compliance. For example, the European Union (EU) General
Data Protection Regulation (GDPR) will require strong protection
of all personal data for all individuals. The GDPR affects all companies,
including foreign companies, that collect or process the personal
data of EU residents. Different regulations and compliance rules
may mean that you treat the same data differently in different countries
or regions. Businesses usually can decrypt personal information
in their corporate data centers because the business owns the information.
The best practice is to decrypt as much traffic as possible so that
you can see it and apply security protection to it.
For traffic you choose not to decrypt, make sure it really is
traffic you don’t want to decrypt, and then create a policy-based exclusionthat specifies
the application, user group, source and destination, URL category,
and/or service to limit each exclusion as much as possible. The
more specific the decryption exclusion, the better, so that you
don’t inadvertently exclude more traffic than necessary from decryption.