Allow non-decryptable traffic using SSL/TLS inspection rules

You can allow connections without decrypting them for trusted websites that use SSL 2.0 and SSL 3.0, SSL compression, or unrecognized cipher suites.

Introduction

To allow non-decryptable traffic, you need to do the following:
  • Create a decryption profile, specifying the connection parameters (SSL 2.0 and SSL 3.0, SSL compression, unrecognized cipher suites) to allow without decryption.
  • Create an SSL/TLS inspection rule for connections you don't want to decrypt. In this example, you use the destination IP address to find traffic that matches the rule criteria. Alternatively, you can add FQDN host groups to the SSL/TLS inspection rule to find the matching traffic.

Create a decryption profile to allow non-decryptable traffic

Create a decryption profile to allow connections that use SSL 2.0 and SSL 3.0, SSL compression, and unrecognized cipher suites without decryption.

  1. Go to Profiles > Decryption profiles and click Add.
  2. Specify the following settings.

    Name

    Description

    Name

    Enter a name.

    Example: Allow_non-decryptable_profile

    SSL 2.0 and SSL 3.0

    Allow without decryption

    SSL compression

    Allow without decryption

    Unrecognized cipher suites

    Allow without decryption

  3. Click Save.

Create an SSL/TLS rule for the non-decryptable traffic

Create an SSL/TLS rule without decryption for trusted connections that use SSL 2.0 and SSL 3.0, SSL compression, and unrecognized cipher suites.

  1. Go to Rules and policies > SSL/TLS inspection rules and click Add.
  2. Enter a name.
  3. Specify the following settings.

    Name

    Description

    Action

    Don't decrypt

    Decryption profile

    Select the decryption profile you created.

    Allow_non-decryptable_profile

    Source zone

    LAN

    Destination zones

    WAN

    Destination networks

    Enter the website's IP address.

    Example: 11.1.1.1

  4. Click Save.