Local Decryption Exclusion Cache

Automatically add Decryption exclusions to the local exclusion cache to allow application traffic that uses unsupported modes.
The firewall can add servers to the Local Decryption Exclusion cache (
Device
Certificate Management
SSL Decryption Exclusion
Show Local Exclusion Cache
) and exclude their traffic from decryption automatically for 12 hours if that traffic breaks decryption for technical reasons such as a pinned certificate or an unsupported certificate. When the Decryption profile allows unsupported modes—sessions with client authentication, unsupported versions, or unsupported cipher suites—and the allowed traffic uses an unsupported mode, then the device automatically adds the server to the local exclusion cache and bypasses decryption. The firewall doesn’t decrypt, inspect, and enforce Security policy on traffic that the Local Decryption Exclusion cache allows because the traffic remains encrypted. Ensure that the sites you exclude from decryption (by applying a Decryption profile that allows unsupported modes) are sites with applications or services you need for business.
Blocking unsupported modes blocks communication with applications that use those modes to increase security. Client authentication is a common reason for excluding applications from decryption, which is why the best practice is to block unsupported versions and unsupported ciphers and to allow client authentication in the Decryption profile. If the Decryption profile allows client authentication, then when a client starts a session with a server that requires the client to authenticate, instead of blocking the traffic because the firewall can’t decrypt it, the firewall adds the application and server to the local exclusion cache and allows the traffic.
If you allow traffic from sites that use client authentication and are not in the predefined sites on the SSL Decryption Exclusion list, create a Decryption profile that allows sessions with client authentication. Add the profile to a Decryption policy rule that applies only to the server(s) that host the application. To increase security even more, you can require Multi-Factor Authentication to complete the user login process. Alternatively, you can add the site to the SSL Decryption Exclusion list to skip decryption without using an explicit Decryption policy.
The firewall adds Local SSL Decryption Exclusion cache entries based on the Decryption policy and profile that controls the application traffic. If you don’t block
Unsupported Mode Checks
in the Decryption profile, the firewall adds entries to the Local SSL Decryption Exclusion cache when:
  • The client supports only TLSv1.2 and the server supports only TLSv1.3. In the local cache, the Reason shown for this exclusion is SSL_UNSUPPORTED.
  • The client supports TLSv1.3 and TLSv1.2, and the server supports only TLSv1.2. In this case, the
    Reason
    column shows TLS13_UNSUPPORTED.
    When the
    Reason
    for adding a server to the Local SSL Decryption Exclusion cache is TLS13_UNSUPPORTED, the firewall downgrades the protocol to TLSv1.2 and the firewall decrypts and inspects the traffic.
  • The client advertises a specific cipher that the server doesn’t support.
  • The client advertises a specific curve that the server doesn’t support.
The local cache contains a maximum of 1,024 entries. You can’t add local exclusions to the Local SSL Decryption Exclusion cache manually (but you can add decryption exclusions to the SSL Decryption Exclusion list manually).
You must have superuser or Certificate Management administrative access to view the Local SSL Decryption Exclusion cache. To view it, navigate to
Device
Certificate Management
SSL Decryption Exclusion
and then click
Show Local Exclusion Cache
near the bottom of the screen. The local exclusion cache displays the application, the server, the reason for inclusion in the cache, the Decryption profile that controls the traffic, and more for each entry. You can select and delete entries from the local cache manually.
local-decryption-exclusion-cache.png
You can also delete cached entries using the CLI:
clear ssl-decrypt exclude-cache [server <value>] [application <value>]
If anyone attempts to access the same server before the local cache entry ages out (12 hours), the firewall matches the session to the cache entry, bypasses decryption, and allows the traffic. The firewall flushes the local exclusion cache if you change the Decryption policy or profile because those changes may affect the classification of the session. If the cache becomes full, the firewall purges the oldest entries as new entries arrive.

Recommended For You