Allow non-decryptable traffic using SSL/TLS inspection rules
You can allow connections without decrypting them for trusted websites that use SSL 2.0 and SSL 3.0, SSL compression, or unrecognized cipher suites.
Introduction
To allow non-decryptable traffic, do the following:
- Create a decryption profile, specifying the connection parameters (SSL 2.0 and SSL 3.0, SSL compression, unrecognized cipher suites) to allow without decryption.
- Create an SSL/TLS inspection rule for connections you don't want to decrypt. In this example, you use the destination IP address to find traffic that matches the rule criteria. Alternatively, you can add FQDN host groups to the SSL/TLS inspection rule to find the matching traffic.
Create a decryption profile to allow non-decryptable traffic
Create a decryption profile to allow connections that use SSL 2.0 and SSL 3.0, SSL compression, and unrecognized cipher suites without decryption.
- Go to Profiles > Decryption profiles and click Add.
-
Specify the following settings.
Name Description Name Enter a name.
Example:Allow_non-decryptable_profile
SSL 2.0 and SSL 3.0 Allow without decryption
SSL compression Allow without decryption
Unrecognized cipher suites Allow without decryption
-
Click Save.
Create an SSL/TLS rule for the non-decryptable traffic
Create an SSL/TLS rule without decryption for trusted connections that use SSL 2.0 and SSL 3.0, SSL compression, and unrecognized cipher suites.
- Go to Rules and policies > SSL/TLS inspection rules and click Add.
- Enter a name.
-
Specify the following settings.
Name Description Action Don't decrypt
Decryption profile Select the decryption profile you created.
Allow_non-decryptable_profile
Source zone LAN
Destination zones WAN
Destination networks Enter the website's IP address.
Example:11.1.1.1
-
Click Save.