When to Decrypt Traffic, When Not to Decrypt
This section provides guidelines on when you should decrypt traffic and when you should allow it to pass through the firewall encrypted.
When not to decrypt traffic
You should not decrypt traffic if doing so is forbidden by:
-
Law; for example, some jurisdictions forbid decrypting financial information
-
Company policy; for example, your company might forbid decrypting privileged communications
-
Privacy regulations
-
Traffic that uses certificate pinning (also referred to as TLS/SSL pinning) must remain encrypted to prevent breaking the connection
(Snort 2.) If you elect to bypass decryption for certain types of traffic, no processing is done on the traffic. The encrypted traffic is first evaluated by decryption policy and then proceeds to the access control policy, where a final allow or block decision is made.
(Snort 3.) Decryption policy is not bypassed for any connections that match access control rules with actions of Trust, Block, or Block with Reset, unless the traffic is prefiltered. The encrypted traffic is first evaluated by decryption policy and then proceeds to the access control policy, where a final allow or block decision is made.
Encrypted traffic can be allowed or blocked on any decryption rule condition, including, but not limited to:
-
Certificate status (for example, expired or invalid certificate)
-
Protocol (for example, the nonsecure SSL protocol)
-
Network (security zone, IP address, VLAN tag, and so on)
-
Exact URL or URL category
-
Port
-
User group
Decryption rules provide a Do Not Decrypt action for this traffic; for more information, see Decryption Rule Do Not Decrypt Action.
Note | The related information links at the end of this topic explain how some aspects of rule evaluation work. Conditions such as URL and application filtering have limitations with respect to encrypted traffic. Make sure you understand those limitations. For more information about using URL filtering in Do Not Decrypt rules, see Decryption Rule Do Not Decrypt Action. |
When to decrypt traffic
All encrypted traffic must be decrypted to take advantage of the system's threat protection and policy enforcement features. To the extent your managed device allows traffic to be decrypted (subject to its memory and processing power), you should decrypt traffic that is not prohibited by law or regulation. If you must decide what traffic to decrypt, base your decision on the risk of allowing the traffic on your network. The system provides a flexible framework for classifying traffic using rule conditions, which include URL reputation, cipher suite, protocol, and many other factors.