Set the
Min Version
to
TLSv1.2
to
provide the strongest security—business sites that value security
support TLSv1.2. If a site (or a category of sites) only supports
weaker ciphers, review the site and determine if it really houses
a legitimate business application. If it does, make an exception
for only that site by configuring a Decryption profile with a
Min
Version
that matches the strongest cipher the site supports
and then applying the profile to a Decryption policy rule that limits
allowing the weak cipher to only the site or sites in question.
If the site doesn’t house a legitimate business application, don’t
weaken your security posture to support the site—weak protocols
(and ciphers) contain known vulnerabilities that attackers can exploit.
If the site belongs to a category of sites that you don’t need for
business purposes, use
URL Filtering to block access to the entire
category. Don’t support weak encryption or authentication algorithms
unless you must do so to support important legacy sites, and when
you make exceptions, create a separate Decryption profile that allows
the weaker protocol just for those sites. Don’t downgrade the main
Decryption profile that you apply to most sites to TLSv1.1 just
to accommodate a few exceptions.