Automatically add Decryption exclusions to the local
exclusion cache to allow application traffic that uses unsupported
modes.
The firewall can add servers to the Local
Decryption Exclusion cache (DeviceCertificate ManagementSSL Decryption
ExclusionShow Local Exclusion Cache)
and exclude their traffic from decryption automatically for 12 hours
if that traffic breaks decryption for technical reasons such as
a pinned certificate or an unsupported certificate. When the Decryption
profile allows unsupported modes—sessions with client authentication, unsupported
versions, or unsupported cipher suites—and the allowed traffic uses
an unsupported mode, then the device automatically adds the server
to the local exclusion cache and bypasses decryption. The firewall
doesn’t decrypt, inspect, and enforce Security policy on traffic
that the Local Decryption Exclusion cache allows because the traffic
remains encrypted. Ensure that the sites you exclude from decryption
(by applying a Decryption profile that allows unsupported modes)
are sites with applications or services you need for business.
Blocking unsupported modes blocks communication with applications
that use those modes to increase security. Client authentication
is a common reason for excluding applications from decryption, which
is why the best practice is to block unsupported versions and unsupported
ciphers and to allow client authentication in the Decryption profile.
If the Decryption profile allows client authentication, then when
a client starts a session with a server that requires the client
to authenticate, instead of blocking the traffic because the firewall
can’t decrypt it, the firewall adds the application and server to
the local exclusion cache and allows the traffic.
If you allow traffic from sites that
use client authentication and are not in the predefined sites on
the SSL Decryption Exclusion
list, create a Decryption profile that allows sessions with
client authentication. Add the profile to a Decryption policy rule
that applies only to the server(s) that host the application. To
increase security even more, you can require Multi-Factor Authentication
to complete the user login process. Alternatively, you can add the
site to the SSL Decryption Exclusion list to skip decryption without
using an explicit Decryption policy.
The firewall adds Local SSL Decryption Exclusion cache entries
based on the Decryption policy and profile that controls the application
traffic. If you don’t block Unsupported Mode Checks in
the Decryption profile, the firewall adds entries to the Local SSL
Decryption Exclusion cache when:
The client supports only TLSv1.2 and the server supports
only TLSv1.3. In the local cache, the Reason shown for this exclusion
is SSL_UNSUPPORTED.
The client supports TLSv1.3 and TLSv1.2, and the server supports only
TLSv1.2. In this case, the Reason column
shows TLS13_UNSUPPORTED.
When the Reason for
adding a server to the Local SSL Decryption Exclusion cache is TLS13_UNSUPPORTED,
the firewall downgrades the protocol to TLSv1.2 and the firewall
decrypts and inspects the traffic.
The client advertises a specific cipher that the server doesn’t support.
The client advertises a specific curve that the server doesn’t support.
The local cache contains a maximum of 1,024 entries. You can’t
add local exclusions to the Local SSL Decryption Exclusion cache
manually (but you can add decryption exclusions to the SSL Decryption
Exclusion list manually).
You must have superuser or Certificate Management administrative
access to view the Local SSL Decryption Exclusion cache. To view
it, navigate to DeviceCertificate
ManagementSSL Decryption Exclusion and
then click Show Local Exclusion Cache near
the bottom of the screen. The local exclusion cache displays the
application, the server, the reason for inclusion in the cache,
the Decryption profile that controls the traffic, and more for each
entry. You can select and delete entries from the local cache manually.
If anyone attempts to access the same server before the local
cache entry ages out (12 hours), the firewall matches the session
to the cache entry, bypasses decryption, and allows the traffic.
The firewall flushes the local exclusion cache if you change the
Decryption policy or profile because those changes may affect the
classification of the session. If the cache becomes full, the firewall
purges the oldest entries as new entries arrive.