Temporarily Disable SSL Decryption

If an issue with a decryption deployment requires more than a short period of time to diagnose, you can temporarily disable SSL decryption and then re-enable it after you fix the issue without a Commit operation, so network traffic isn’t disrupted.
In some cases you may want to temporarily disable SSL decryption. For example, if you deployed SSL decryption too hastily and something doesn’t work correctly but you’re not sure what it is, and you have a lot of rules to examine, you can use the CLI to temporarily turn off decryption and give yourself time to analyze and solve the issue. After solving the issue, you can use the CLI to turn SSL decryption back on again. Because temporarily disabling and then re-enabling decryption using the CLI doesn’t require a Commit operation, you can do it without disrupting network traffic.
The following CLI commands temporarily disable SSL decryption without a Commit and re-enable decryption without a Commit.
The command to disable SSL decryption doesn’t persist in the configuration after a reboot. If you turn off decryption temporarily and then reboot the firewall, regardless of whether the issue has been fixed, decryption is turned on again.
  • Disable SSL Decryption
    set system setting ssl-decrypt skip-ssl-decrypt yes
  • Re-enable SSL Decryption
    set system setting ssl-decrypt skip-ssl-decrypt no

Related Documentation