Use Decryption Policy rules to define the traffic you
decrypt and the traffic you choose not to decrypt because of regulations,
business reasons, or privacy reasons.
A Decryption policy rule allows you to define traffic
that you want the firewall to decrypt and to define traffic that
you choose to exclude from decryption
because the traffic is personal or because of local regulations,
Attach a Decryption profile to each Decryption policy rule to
enable certificate checks, session mode checks, failure checks,
and protocol and algorithm checks, depending on the profile. These
checks prevent risky connections, such as sessions with untrusted
certificate issuers, weak protocols, ciphers, and algorithms, and servers
that have certificate issues.
As a best practice, you should always block some URL Filtering categories such as malware,
phishing, dynamic-dns, unknown, command-and-control, proxy-avoidance-and-anonymizers,
questionable, and parked. Many companies also block the copyright-infringement
and extremism URL categories. If you must allow any of these categories
for business reasons, you must decrypt them and apply strict Security
profiles to the traffic.
URL categories that you should always decrypt if you allow them
include: online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs,
In Security policy, block Quick UDP Internet Connections (QUIC) protocol unless
for business reasons, you want to allow encrypted browser traffic.
Chrome and some other browsers establish sessions using QUIC instead
of TLS/SSL, but QUIC uses proprietary encryption that the firewall can’t
decrypt, so potentially dangerous traffic may enter the network
as encrypted traffic. Blocking QUIC forces the browser to fall back
to TLS/SSL and enables the firewall to decrypt the traffic.
Decrypting TLS traffic forces browsers that use HTTP/2
to fall back to HTTP 1.1 because the firewall can’t decrypt HTTP/2
traffic. Allow browsers to fall back to HTTP 1.1 so you can decrypt
this traffic and prevent potentially dangerous traffic from entering
the network as encrypted traffic.