Skip to content

Allow non-decryptable traffic using SSL/TLS inspection rules

You can allow connections without decrypting them for trusted websites that use SSL 2.0 and SSL 3.0, SSL compression, or unrecognized cipher suites.

Introduction

To allow non-decryptable traffic, do the following:

  • Create a decryption profile, specifying the connection parameters (SSL 2.0 and SSL 3.0, SSL compression, unrecognized cipher suites) to allow without decryption.
  • Create an SSL/TLS inspection rule for connections you don't want to decrypt. In this example, you use the destination IP address to find traffic that matches the rule criteria. Alternatively, you can add FQDN host groups to the SSL/TLS inspection rule to find the matching traffic.

Create a decryption profile to allow non-decryptable traffic

Create a decryption profile to allow connections that use SSL 2.0 and SSL 3.0, SSL compression, and unrecognized cipher suites without decryption.

  1. Go to Profiles > Decryption profiles and click Add.
  2. Specify the following settings.

    Name Description
    Name Enter a name.

    Example: Allow_non-decryptable_profile
    SSL 2.0 and SSL 3.0 Allow without decryption
    SSL compression Allow without decryption
    Unrecognized cipher suites Allow without decryption
  3. Click Save.

Create an SSL/TLS rule for the non-decryptable traffic

Create an SSL/TLS rule without decryption for trusted connections that use SSL 2.0 and SSL 3.0, SSL compression, and unrecognized cipher suites.

  1. Go to Rules and policies > SSL/TLS inspection rules and click Add.
  2. Enter a name.
  3. Specify the following settings.

    Name Description
    Action Don't decrypt
    Decryption profile Select the decryption profile you created.

    Allow_non-decryptable_profile
    Source zone LAN
    Destination zones WAN
    Destination networks Enter the website's IP address.

    Example: 11.1.1.1
  4. Click Save.