Network Security
Enable Users to Opt Out of SSL Decryption
Table of Contents
Enable Users to Opt Out of SSL Decryption
Allow users to either continue to a requested site and have their traffic decrypted
for 24 hours or opt out of decryption, which blocks access to that site and others for a
minute.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No requirements.
|
You can alert end users who attempt to access HTTPS websites or applications that their traffic
will be decrypted and inspected for security purposes. The response page prompts
them to either continue to a website with the understanding that their
traffic will be decrypted or opt out of the decryption. Users can click
Yes to continue to the site or click
No to opt out of decryption and terminate the
session.
If they continue to the website, all HTTPS sites they access for the next 24 hours is
subject to decryption. After 24 hours, the response page appears again. Users who
opt out of SSL decryption can't access the requested webpage they initially tried to
access or any other HTTPS site, for the next minute. After the minute elapses, the
response page appears the next time they request an HTTPS website. (There is no
option to go to the site and also bypass decryption.) Before implementing the
response page, educate end users about this intervention, what to expect and when,
and what their options are.
Browsers do not display response pages when SSL/TLS handshake inspections is
enabled.
You can activate the predefined SSL Decryption Opt-out Page or customize the page with your own
text or images. You can use the same response page objects documented for URL
filtering. However, best practice is to not provide end users with the option to
bypass decryption.
To use the default page instead of an active custom page, delete the custom page from
the device and Commit your changes. This sets the predefined
block page as the new, active page. The Action column in the
response page list shows if a response page is active–you'll see either
Predefined or
Disabled.
Custom response pages larger than the maximum supported size are not decrypted or displayed to
users. The maximum size is 17,999 bytes.
- Activate the predefined SSL Decryption Opt-out Page.
- Select ,
- In the Type column, select SSL Decryption Opt-out Page. If Location or Action shows Disabled, then the page is inactive. The response page window appears.
- Select Enable SSL Opt-out Page.Alternatively, click Disabled in the row that corresponds to the SSL Decryption Opt-Out page.
- Click OK.
- Commit the changes.
- (Optional) Customize the SSL Decryption Opt-out Page.
- Select .
- Under Type, select SSL Decryption Opt-out Page. The predefined page displays under the Location column.
- Select the Predefined check box, and then click Export.
- Using the HTML text editor of your choice, edit the page.
- If you want to add an image, host the image on a web server that’s accessible from end-user systems.
- Add a line to the HTML to point to the image. For example:
<img src="http://cdn.slidesharecdn.com/ Acme-logo-96x96.jpg?1382722588"/> - Save the edited page with a new filename. Make sure that the page retains its UTF-8 encoding.
- On the NGFW or Panorama, select .
- Click SSL Decryption Opt-out Page.
- Click Import and Browse to locate the file, or enter the path and filename in the Import File field.
- (Optional) Select the virtual system on which this login page will be used from the Destination drop-down or select shared to make it available to all virtual systems.
- Click OK to import the file.
- Select the response page you imported, then Close the window.
- Verify that the response page displays when you attempt to browse to a site.From a browser, go to an encrypted site that matches a decryption policy rule.
