To exclude traffic from decryption, create
a decryption policy rule and set the policy action to
. Exclude traffic from decryption based on application,
source, destination, URL category, and service (ports and protocols).
Because policy rules are compared against incoming traffic in sequence,
make sure that a decryption exclusion rule is listed first in your
Exclude traffic from decryption based match criteria.
This example shows how to exclude traffic categorized as financial
or health-related from SSL Forward Proxy decryption.
or Create a Decryption Policy rule.
Define the traffic that you want to exclude from decryption.
In this example:
the rule a descriptive
, such as No-Decrypt-Finance-Health.
apply the No-Decrypt-Finance-Health rule to all SSL traffic destined
for an external server.
URL categories financial-services and health-and-medicine.
and set the
You can still use a decryption
profile to validate certificates for sessions the firewall does
not decrypt. Attach a decryption profile to the rule that is set
Block sessions with expired certificates
sessions with untrusted issuers
to save the No-Decrypt-Finance-Health
Place the decryption exclusion rule at the top of your
Decryption rules are enforced against incoming traffic
in sequence and the first rule to match to traffic is enforced—moving
rule to the top of the rule
list ensures that the traffic matched to the rule remains encrypted,
even if the traffic is later matched to other decryption rules.
page, select the policy
No-Decrypt-Finance-Health, and click
it appears at the top of the list (or you can drag and drop the