Skip to main content



Cisco Defense Orchestrator

Guidelines for SSL Decryption

Keep the following in mind when configuring and monitoring SSL decryption policies:

  • The SSL Decryption policy is bypassed for any connections that match access control rules set to trust or block if those rules:
    • Use security zone, network, geolocation, and port only as the traffic matching criteria.
    • Come before any other rules that require inspection, such as rules that match connections based on application or URL, or allow rules that apply intrusion or file inspection.
  • When using URL category matching, note that there are cases where the login page for a site is in a different category than the site itself. For example, Gmail is in the “Web based email” category, whereas the login page is in the “Internet Portals” category. To get connections to these sites decrypted, you must include both categories in the rule.
  • You cannot disable the SSL decryption policy if you have any active authentication rules. To disable the SSL decryption policy, you must either disable the identity policy, or delete any identity rules that use active authentication.
  • Was this article helpful?