End-of-Life (EoL)

Exclude Traffic from Decryption

To exclude traffic from decryption, create a decryption policy rule and set the policy action to
No Decrypt
. Exclude traffic from decryption based on application, source, destination, URL category, and service (ports and protocols). Because policy rules are compared against incoming traffic in sequence, make sure that a decryption exclusion rule is listed first in your decryption policy.
  1. Exclude traffic from decryption based match criteria.
    This example shows how to exclude traffic categorized as financial or health-related from SSL Forward Proxy decryption.
    1. Select
      Policies
      Decryption
      and
      modify or Create a Decryption Policy rule.
    2. Define the traffic that you want to exclude from decryption.
      In this example:
      1. Give the rule a descriptive
        Name
        , such as No-Decrypt-Finance-Health.
      2. Set the
        Source
        and
        Destination
        to
        Any
        to apply the No-Decrypt-Finance-Health rule to all SSL traffic destined for an external server.
      3. Select
        URL Category
        and
        Add
        the URL categories financial-services and health-and-medicine.
    3. Select
      Options
      and set the rule to
      No Decrypt
      .
    4. (Optional)
      You can still use a decryption profile to validate certificates for sessions the firewall does not decrypt. Attach a decryption profile to the rule that is set to
      Block sessions with expired certificates
      and/or
      Block sessions with untrusted issuers
      .
    5. Click
      OK
      to save the No-Decrypt-Finance-Health decryption rule.
  2. Place the decryption exclusion rule at the top of your decryption policy.
    Decryption rules are enforced against incoming traffic in sequence and the first rule to match to traffic is enforced—moving the
    No Decrypt
    rule to the top of the rule list ensures that the traffic matched to the rule remains encrypted, even if the traffic is later matched to other decryption rules.
    On the
    Decryption
    Policies
    page, select the policy No-Decrypt-Finance-Health, and click
    Move Up
    until it appears at the top of the list (or you can drag and drop the rule).
  3. Commit
    the configuration.

Recommended For You