: Policies > Decryption
Focus
Focus

Policies > Decryption

Table of Contents
End-of-Life (EoL)

Policies > Decryption

You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption policies can apply to Secure Sockets Layer (SSL) including SSL encapsulated protocols such as IMAP(S), POP3(S), SMTP(S), and FTP(S), and Secure Shell (SSH) traffic. SSH decryption can be used to decrypt outbound and inbound SSH traffic to assure that secure protocols are not being used to tunnel disallowed applications and content.
Add a decryption policy rule to define traffic that you want to decrypt (for example, you can decrypt traffic based on URL categorization). Decryption policy rules are compared against the traffic in sequence, so more specific rules must precede the more general ones.
SSL forward proxy decryption requires the configuration of a trusted certificate that is presented to the user if the server to which the user is connecting possesses a certificate signed by a CA trusted by the firewall. Create a certificate on the DeviceCertificate ManagementCertificates page and then click the name of the certificate and select Forward Trust Certificate.
The firewall doesn’t decrypt applications that break decryption technically, for example because they use pinned certificates or client authentication.
The following tables describe the decryption policy settings:
Looking for more?