Configure Server Certificate Verification for Undecrypted
Even though the traffic is encrypted, you can protect your network against sessions with expired certificates and untrusted issuers for traffic you choose not to decrypt for legal, business, or privacy reasons.
You create no-decryption policies for traffic that you
choosenot to decrypt because the traffic is personal, sensitive, or subject to local laws and regulations. For example, you may choose not to decrypt the traffic of certain executives or traffic between finance users and finance servers that contain personal information. (Don’t exclude traffic that you can’t decrypt because a site breaks decryption for technical reasons such as a pinned certificate or mutual authentication by policy. Instead, add the hostname to the Decryption Exclusion List.)
However, just because you don’t decrypt the traffic doesn’t mean you should let any and all undecrypted traffic on your network. It is a best practice to apply a No Decryption profile to undecrypted traffic to block sessions with expired certificates and untrusted issuers.
- Selectand Add or modify an existing rule to identify the undecrypted traffic.PoliciesDecryption
- Set the ruleActiontoNo Decryptso that the firewall doesn’t decrypt traffic that matches the rule.
- Ignore the ruleTypebecause the traffic is not decrypted.
- Committhe configuration.
You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
Decryption Profile for No Decryption
The No Decryption profile blocks risky sessions for traffic that you choose not to decrypt by policy rule. ...
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
Deploy SSL Decryption Using Best Practices
Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...
Define Traffic to Decrypt
Use Decryption Policy rules to define the traffic you decrypt and the traffic you choose not to decrypt because of regulations, business reasons, or privacy ...
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...
Configure SSL Inbound Inspection
SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those ...
Create the Data Center Best Practice Decryption Profiles
Decryption Profiles define the SSL Protocol settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. ...