Local SSL Decryption Exclusion Cache

The Local SSL Decryption Exclusion Cache contains websites that the Next-Generation Firewall (NGFW) automatically excludes from decryption because of technical circumstances that break or prevent decryption, such as pinned certificates, client authentication, or unsupported ciphers. The NGFW doesn’t decrypt, inspect, and enforce Security policy rules on traffic that the cache allows because the traffic remains encrypted. However, traffic in the local cache is excluded from decryption for 12 hours and then ages out. The NGFW populates the cache based on the decryption profile associated with the decryption policy rule that controls the traffic. Specifically, if the decryption profile allows unsupported modes—sessions with client authentication, unsupported versions, or unsupported cipher suites—and the allowed traffic uses an unsupported mode, then the device adds the server to the local exclusion cache. Ensure that the sites you exclude from decryption (for example, by applying a decryption profile that allows unsupported modes) are sites with applications or services you need for business.

If you allow unsupported mode checks in a decryption profile, the NGFW adds entries to the cache when:

If the decryption profile blocks unsupported modes, the server is not added to the local cache and the NGFW blocks traffic to and from the server. Blocking unsupported modes blocks communication with applications that use those modes to increase security. Client authentication is a common reason for excluding applications from decryption, which is why best practice is to block unsupported versions and unsupported ciphers and allow client authentication in the decryption profile. If the decryption profile allows client authentication and a client starts a session with a server that requires the client to authenticate, instead of blocking the traffic because the NGFW can’t decrypt it, the application and server are added to the local exclusion cache, which allows the traffic.

The local cache contains a maximum of 1,024 entries. Each exclusion entry includes information about the application, the server, the reason for inclusion in the cache, the decryption profile applied to the traffic, its virtual system (vsys), and more. You can’t manually add local exclusions to the cache, but you can add exclusions to the SSL decryption exclusion list .

To view the Local SSL Decryption Exclusion Cache, superuser or Certificate Management administrative access is required.

You can select and delete entries from the local cache manually. You can also delete cached entries using the clear ssl-decrypt exclude-cache [server <value>] [application <value>] CLI command.

If anyone attempts to access the same server before the local cache entry ages out (12 hours), the NGFW matches the session to the cache entry, bypasses decryption, and allows the traffic. The NGFW flushes the local exclusion cache if you change the decryption policy rule or profile because those changes might affect the classification of the session. If the cache becomes full, the oldest entries are purged as new ones arrive.