Allow users to either continue to a requested site and have their traffic decrypted
for 24 hours or opt out of decryption, which blocks access to that site and others for a
minute.
| Where Can I Use
This? | What Do I Need? |
|---|
You can alert end users who attempt to access HTTPS websites or applications that their traffic
will be decrypted and inspected for security purposes. The response page prompts
them to either continue to a website with the understanding that their
traffic will be decrypted or opt out of the decryption. Users can click
Yes to continue to the site or click
No to opt out of decryption and terminate the
session.
If they continue to the website, all HTTPS sites they access for the next 24 hours is
subject to decryption. After 24 hours, the response page appears again. Users who
opt out of SSL decryption can't access the requested webpage they initially tried to
access or any other HTTPS site, for the next minute. After the minute elapses, the
response page appears the next time they request an HTTPS website. (There is no
option to go to the site and also bypass decryption.) Before implementing the
response page, educate end users about this intervention, what to expect and when,
and what their options are.
You can activate the predefined SSL Decryption Opt-out Page or customize the page with your own
text or images. You can use the same
response page objects documented for URL
filtering. However, best practice is to not provide end users with the option to
bypass decryption.
To use the default page instead of an active custom page, delete the custom page from
the device and Commit your changes. This sets the predefined
block page as the new, active page. The Action column in the
response page list shows if a response page is active–you'll see either
Predefined or
Disabled.
Custom response pages larger than the maximum supported size are not decrypted or displayed to
users. The maximum size is 17,999 bytes.
