How to Configure Decryption Policies and Rules
This topic provides a high-level overview of tasks you must complete to configure decryption policies and decryption rules in those policies to block, monitor, or allow TLS/SSL traffic on your network.
You must be an Admin, Access Admin, or Network Admin to perform this task.
Procedure
| Command or Action | Purpose | |
|---|---|---|
Step 1 | For Decrypt - Known Key decryption rules (to decrypt inbound traffic to an internal server), create an internal certificate object. | The internal certificate object uses your server's certificate and private key. See Internal Certificate Objects. |
Step 2 | For Decrypt - Resign decryption rules (to decrypt outbound traffic to a server outside of your network), create an internal certificate authority (CA) object. | The internal CA object uses a CA and private key. See Internal Certificate Authority Objects. |
Step 3 | Create a decryption policy and, optionally, rules. | You can create a decryption policy with multiple rules at the same time. You can also create a decryption policy without rules; for example, to add the rules later or to create a policy with Do Not Decrypt rule actions. For more information, see Create a Decryption Policy. |
Step 4 | Set a default action for your decryption policy. | The default action is taken when traffic matches no rules defined by the decryption policy. See Decryption Policy Default Actions. |
Step 5 | Specify how undecryptable traffic should be handled. | Traffic can be undecryptable for a number of reasons, including unsecure protocols, uses and unknown cipher suite, or in the event of errors with the handshake or decryption. See Default Handling Options for Undecryptable Traffic. |
Step 6 | Configure advanced settings for your decryption policy. | Advanced settings include disabling HTTP/3 advertisements, enabling TLS 1.3 decryption, and enabling the TLS server identity probe. For more information, see Decryption Policy Advanced Options. |
Step 7 | Associate the decryption policy with an access control policy. | Unless you associate your decryption policy with an access control policy, it has no effect. After you do this, you can choose to allow or block traffic that matches the access control rule and take other actions. See Associating Other Policies with Access Control. |
Step 8 | Configure your access control rules to allow or block decrypted traffic. | |
Step 9 | Choose whether or not to enable TLS server identity discovery in the access control policy. | For more information, see Access Control Policy Advanced Settings. |
Step 10 | Deploy the access control policy to managed devices. | Before your policy can take effect, it must be deployed to managed devices. See Deploy Configuration Changes. |