a Decryption Policy Rule
- SelectandPoliciesDecryptionAdda new decryption policy rule.
- Give the policy rule a descriptiveName.
- Configure the decryption rule to match to traffic based on network and policy objects:
The application-default setting is useful to Configure Decryption Exceptions. You can exclude applications running on their default ports from decryption, while continuing to decrypt the same applications when they are detected on non-standard ports
- Firewall security zones—SelectSourceand/orDestinationand match to traffic based on theSource Zoneand/or theDestination Zone.
- IP addresses, address objects, and/or address groups—SelectSourceand/orDestinationto match to traffic based onSource Addressand/or theDestination Address. Alternatively, selectNegateto exclude the source address list from decryption.
- Users—SelectSourceand set theSource Userfor whom to decrypt traffic. You can decrypt specific user or group traffic, or decrypt traffic for certain types of users, such as unknown users or pre-logon users (users that are connected to GlobalProtect but are not yet logged in).
- Ports and protocols—SelectService/URL Categoryto set the rule to match to traffic based on service. By default, the policy rule is set to decryptAnytraffic on TCP and UDP ports. You canAdda service or a service group, and optionally set the rule toapplication-defaultto match to applications only on the application default ports.
- URLs and URL categories—Select Service/URL Category and decrypt traffic based on:
- An externally-hosted list of URLs that the firewall retrieves for policy-enforcement (see).ObjectsExternal Dynamic Lists
- Custom URL categories (see).ObjectsCustom ObjectsURL Category
- Palo Alto Networks URL categories. This option is useful to Configure Decryption Exceptions. For example, you could create a custom URL category to group sites that you do not want to decrypt, or you could exclude financial or healthcare-related sites from decryption based on the Palo Alto Networks URL categories.
- Set the action the policy rule enforces on matching traffic: the rule can either decrypt matching traffic or exclude matching traffic from decryption.SelectOptionsand set the policy ruleAction:Decrypt matching traffic:Exclude matching traffic from decryption:SelectNo Decrypt.
- (Optional)Select aDecryption Profileto apply the profile settings to decrypted traffic. (To Create a Decryption Profile, select).ObjectsDecryption Profile
- ClickOKto save the policy.
Recommended For You
Recommended videos not found.