The No Decryption profile blocks risky sessions for traffic
that you choose not to decrypt by policy rule.
The No Decryption profile (
controls server verification checks for traffic that you choose
not to decrypt as defined in “No Decryption” Decryption policies
to which you attach the profile. (Don’t exclude traffic that you
can’t decrypt because a site breaks decryption for technical reasons
such as a pinned certificate or mutual authentication by policy.
Instead, add the hostname to the Decryption Exclusion List.) The following figure
shows the general best practice recommendations for the No Decryption
profile settings, but the settings you use also depend on your company’s
security compliance rules and local laws and regulations.
Block sessions with expired certificates
check this box to block sessions with servers that have expired
certificates and prevent access to potentially insecure sites. If
you don’t check this box, users can connect with and transact with
potentially malicious sites and see warning messages when they attempt
to connect, but the connection is not prevented.
Block sessions with untrusted issuers
this box to block sessions with servers that have untrusted certificate
issuers. An untrusted issuer may indicate a man-in-the-middle attack, a replay attack,
or other attack.