End-of-Life (EoL)

Enable Users to Opt Out of SSL Decryption

In some cases, you might need to alert your users to the fact that the firewall is decrypting certain web traffic and allow them to terminate sessions that they do not want inspected. With SSL Opt Out enabled, the first time a user attempts to browse to an HTTPS site or application that matches your decryption policy, the firewall displays a response page notifying the user that it will decrypt the session. Users can either click
Yes
to allow decryption and continue to the site or click
No
to opt out of decryption and terminate the session. The choice to allow decryption applies to all HTTPS sites that users try to access for the next 24 hours, after which the firewall redisplays the response page. Users who opt out of SSL decryption cannot access the requested web page, or any other HTTPS site, for the next minute. After the minute elapses, the firewall redisplays the response page the next time the users attempt to access an HTTPS site.
The firewall includes a predefined SSL Decryption Opt-out Page that you can enable. You can optionally customize the page with your own text and/or images.
  1. (Optional)
    Customize the SSL Decryption Opt-out Page.
    1. Select
      Device
      Response Pages
      .
    2. Select the
      SSL Decryption Opt-out Page
      link.
    3. Select the
      Predefined
      page and click
      Export
      .
    4. Using the HTML text editor of your choice, edit the page.
    5. If you want to add an image, host the image on a web server that is accessible from your end user systems.
    6. Add a line to the HTML to point to the image. For example:
      <img src="http://cdn.slidesharecdn.com/ Acme-logo-96x96.jpg?1382722588"/>
    7. Save the edited page with a new filename. Make sure that the page retains its UTF-8 encoding.
    8. Back on the firewall, select
      Device
      Response Pages
      .
    9. Select the
      SSL Decryption Opt-out Page
      link.
    10. Click
      Import
      and then enter the path and filename in the
      Import File
      field or
      Browse
      to locate the file.
    11. (Optional)
      Select the virtual system on which this login page will be used from the
      Destination
      drop-down or select shared to make it available to all virtual systems.
    12. Click
      OK
      to import the file.
    13. Select the response page you just imported and click
      Close
      .
  2. Enable SSL Decryption Opt Out.
    1. On the
      Device
      Response Pages
      page, click the
      Disabled
      link.
    2. Select the
      Enable SSL Opt-out Page
      and click
      OK
      .
    3. Commit
      the changes.
  3. Verify that the Opt Out page displays when you attempt to browse to a site.
    From a browser, go to an encrypted site that matches your decryption policy.
    Verify that the SSL Decryption Opt-out response page displays.
    notifyuser.png

Recommended For You