Decryption Profile for No Decryption

The No Decryption profile blocks risky sessions for traffic that you choose not to decrypt by policy rule.
The No Decryption profile (ObjectsDecryption ProfileNo Decryption) controls server verification checks for traffic that you choose not to decrypt as defined in “No Decryption” Decryption policies to which you attach the profile. (Don’t exclude traffic that you can’t decrypt because a site breaks decryption for technical reasons such as a pinned certificate or mutual authentication by policy. Instead, add the hostname to the Decryption Exclusion List.) The following figure shows the general best practice recommendations for the No Decryption profile settings, but the settings you use also depend on your company’s security compliance rules and local laws and regulations.
no-decryption-best-practice-decryption-profile.png
  • Block sessions with expired certificates—Always check this box to block sessions with servers that have expired certificates and prevent access to potentially insecure sites. If you don’t check this box, users can connect with and transact with potentially malicious sites and see warning messages when they attempt to connect, but the connection is not prevented.
  • Block sessions with untrusted issuers—Always check this box to block sessions with servers that have untrusted certificate issuers. An untrusted issuer may indicate a man-in-the-middle attack, a replay attack, or other attack.

Related Documentation