Create a Policy-Based Decryption Exclusion

Exclude traffic that you choose not to decrypt for legal, privacy, or business reasons from decryption to comply with those policies while still applying SSL protections with a Decryption profile.
Policy-based decryption exclusions are for excluding traffic that you choose not to decrypt. You can create a policy-based decryption exclusion based on any combination of the traffic’s source, destination, service, or URL Category. Examples of traffic you may choose not to decrypt include:
  • Sensitive traffic that you should never decrypt, such as the URL Filtering categories financial-services, health-and-medicine, and government.
    You can use predefined URL Categories to except entire categories from decryption, you can create custom URL Categories to define a customized list of URLs that you don’t want to decrypt, or you can create an External Dynamic List (EDL) to define a customized list of URLs that you don’t want to decrypt.
    In environments such as Office 365 that have dynamically changing IP addresses or in environments where you make frequent changes to the list of URLs that you want to exclude from decryption, it’s often preferable to use an EDL instead of a URL Category to specify the excluded URLs. Editing a custom URL Category or adding or removing a predefined URL Category requires a Commit action to take effect. However, when you edit an EDL, the firewall imports and implements the changes dynamically, without a Commit action, so using an EDL is less disruptive in a dynamically changing environment.
  • The traffic originates or is destined for executives or other users whose traffic shouldn’t be decrypted.
  • Some devices such as finance servers may need to be excepted from decryption.
  • Depending on the business, some companies may value privacy and the user experience more than security for some applications.
  • Laws or local regulations that prohibit decryption of some traffic.
    An example of not decrypting traffic for regulatory and legal compliance is the European Union (EU) General Data Protection Regulation (GDPR). The EU GDPR will require strong protection of all personal data for all individuals. The GDPR affects all companies, including foreign companies, that collect or process the personal data of EU residents.
    Different regulations and compliance rules may mean that you treat the same data differently in different countries or regions. Businesses usually can decrypt personal information in their corporate data centers because the business owns the information. The best practice is to decrypt as much traffic as possible so that you can see it and apply security protection to it.
If you choose to except traffic from decryption, make sure it really is traffic you don’t want to decrypt. Don’t create exceptions that are broader than necessary. Configure the traffic source, destination, service, and URL Category in the Decryption policy so that you except only the traffic you really mean to except from decryption. The more specific the decryption exclusion, the better, so that you don’t inadvertently exclude more traffic than necessary from decryption. Work with human resources, legal, finance, executives, IT, and other groups to identify sensitive information that the firewall should not decrypt.
Similar to Security policy rules, the firewall compares incoming traffic to Decryption policy rules in the Decryption policy rulebase’s sequence. Place exclusion policy rules at the top of the rulebase.
The reason you place decryption exclusion rules at the top of the rulebase is to prevent inadvertently decrypting traffic you don’t want to decrypt or traffic that laws or regulations prevent you from decrypting because the traffic matches a decryption rule before it matches the rule that is meant to except the traffic from decryption. If you create policy-based decryption exclusions, the best practice is to place the following exclusion rules at the top of the decryption rulebase, in the following order:
  1. IP-address based exceptions for sensitive destination servers.
  2. Source-user based exceptions for executives and other users or groups.
  3. Custom URL or EDL based exceptions for destination URLs.
  4. Sensitive predefined URL Category based exceptions for destination URLs of entire categories such as financial-services, health-and-medicine, and government.
Place rules that decrypt traffic after these rules in the decryption rulebase.
  1. Exclude traffic from decryption based on match criteria.
    This example shows how to exclude traffic categorized as financial or health-related from SSL Forward Proxy decryption.
    1. Select PoliciesDecryption and Add or modify a decryption policy rule.
    2. Define the traffic that you want to exclude from decryption.
      In this example:
      1. Give the rule a descriptive Name, such as No-Decrypt-Finance-Health.
      2. Set the Source and Destination to Any to apply the No-Decrypt-Finance-Health rule to all SSL traffic destined for an external server.
      3. Select URL Category and Add the URL categories financial-services and health-and-medicine.
        decryption-exclusion-policy-url-cats-example.png
    3. Select Options and set the rule to No Decrypt.
    4. (Optional but a best practice) Use a Decryption Profile for No Decryption to validate certificates for sessions the firewall does not decrypt. Attach the No Decryption profile to the rule and set the profile to Block sessions with expired certificates and Block sessions with untrusted issuers.
    5. Click OK to save the No-Decrypt-Finance-Health decryption rule.
  2. Place the decryption exclusion rule at the top of your decryption policy rulebase.
    The firewall enforces decryption rules against incoming traffic in the rulebase sequence and enforces the first rule that match the traffic.
    Select the No-Decrypt-Finance-Health policy (DecryptionPolicies), and click Move Up until it appears at the top of the list, or drag and drop the rule.
  3. Save the configuration.
    Click Commit.

Related Documentation