Apply Granular Settings to Traffic Matching a Decryption Policy Rule (Strata Cloud Manager)

1. Create a decryption profile.

   1. Select Configuration Security Services Decryption. Under Decryption Profiles, click Add Profile.
   2. Enter a descriptive Name for the profile.
2. Specify TLS protocol versions and cipher suites to support for TLS connections:

   Under Handshake Settings:

   1. Select a Protocol Min Version: SSLv3.0, TLSv1.0 through TLSv1.3.
   2. Select a Protocol Max Version: SSLv3.0, TLSv1.0 through TLSv1.3, and Max.

      Set the Protocol Max Version to Max to support the newest TLS protocol version when available.
   3. Add or Remove the desired Key Exchange Algorithms.

      The RSA, DHE, and ECDHE key exchange algorithms are enabled by default.

      To remove an algorithm, select the algorithm and then click Remove.
   4. Add or Remove the desired Encryption Algorithms.
   5. Add or Remove the desired Authentication Algorithms.

      The MD5 algorithm is blocked by default.
3. (Optional) Configure Server Certificate Verification settings, Unsupported Mode Checks, Failure Checks, and Client Extension settings for SSL Forward Proxy.

   1. For Server Certificate Verification, select Block sessions with expired certificates or Block sessions with untrusted issuers.
   2. For Unsupported Mode Checks, select Block sessions with unsupported versions or Block sessions with unsupported cipher suites.
   3. (Optional) To configure additional Server Certificate Verification settings, Unsupported Mode Checks, Failure Checks, and Client Extension settings, select Advanced.

      An Advanced SSL Forward Proxy Settings overlay opens.

      • For Server Certificate Verification, you can configure these additional settings:
        • Block sessions with unknown certificate status
        • Block sessions on certificate status check timeout
        • Restrict certificate extensions
        • Append certificate's CN value to SAN extension
      • For Unsupported Mode Checks, you can Block sessions with client authentication.
      • For Failure Checks, you can Block downgrade on no resource.
      • For Client Extension, you can Strip ALPN.
   4. Save the advanced settings.
4. (Optional) Configure Unsupported Mode Checks and Failure Checks for SSL Inbound Inspection.

   1. For Unsupported Mode Checks, select Block sessions with unsupported versions or Block sessions with unsupported cipher suites.
   2. For Failure Checks, select Block sessions if resources not available or Block sessions if HSM not available.
5. (Optional) Configure Server Certificate Verification settings for traffic you don't decrypt.

   For Server Certificate Verification, select Block sessions with expired certificates or Block sessions with untrusted issuers.

   Apply no-decryption profiles to decryption policy rules that control traffic excluded from decryption for compliance, legal, and nontechnical reasons. If a server breaks decryption for technical reasons, add it to the Global Decryption Exclusion list instead.
6. Save the profile.
7. Commit your changes.

   Select Push ConfigPush.
8. Apply the profile to the appropriate decryption policy rules.