Temporarily Disable SSL Decryption
If an issue with a decryption deployment requires more than a short period of time to diagnose, you can temporarily disable SSL decryption and then re-enable it after you fix the issue without a Commit operation, so network traffic isn’t disrupted.
In some cases you may want to temporarily disable SSL decryption. For example, if you deployed SSL decryption too hastily and something doesn’t work correctly but you’re not sure what it is, and you have a lot of rules to examine, you can use the CLI to temporarily turn off decryption and give yourself time to analyze and solve the issue. After solving the issue, you can use the CLI to turn SSL decryption back on again. Because temporarily disabling and then re-enabling decryption using the CLI doesn’t require a Commit operation, you can do it without disrupting network traffic.
The following CLI commands temporarily disable SSL decryption without a Commit and re-enable decryption without a Commit.
The command to disable SSL decryption doesn’t persist in the configuration after a reboot. If you turn off decryption temporarily and then reboot the firewall, regardless of whether the issue has been fixed, decryption is turned on again.
- Disable SSL Decryption
set system setting ssl-decrypt skip-ssl-decrypt yes
- Re-enable SSL Decryption
set system setting ssl-decrypt skip-ssl-decrypt no
You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
Configure Server Certificate Verification for Undecrypted T...
Even though the traffic is encrypted, you can protect your network against sessions with expired certificates and untrusted issuers for traffic you choose not ...
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...
Device > Certificate Management > SSL Decryption Exclusion
Device > Certificate Management > SSL Decryption Exclusion View and manage SSL decryption exclusions . There are two types of decryption exclusions, predefined exclusions and ...