Decryption profiles

Decryption profiles enable you to enforce decryption settings on SSL/TLS connections.

  • To clone a decryption profile, click Clone Clone button.
  • To edit a decryption profile, click Edit Edit button.

You can specify the re-signing certificate authorities to sign SSL/TLS server certificates after XG Firewall intercepts, decrypts, and inspects secure traffic. You can also specify the action for traffic that can't be decrypted due to issues such as insecure protocol versions, unrecognized cipher suites, SSL compression, or connections that exceed the firewall's decryption capabilities.

You can specify the action for certificate validation errors and insecure cipher algorithms. You can also enforce an RSA key size and SSL/TLS versions to use.

Tip When you specify a setting in both the decyption profile and SSL/TLS inspection settings, the settings in the decryption profile override the settings in SSL/TLS inspection settings.
Note You can't edit the default profiles.

The default profiles are as follows:

Maximum compatibility: Decrypts as many connections as possible. Doesn't restrict cipher usage.

Block insecure SSL: Prevents the use of weak ciphers. Allows non-decryptable traffic.

Strict compliance: Implements strict compliance. Use this to meet PCI DSS (Payment Card Industry Data Security Standard) specifications.