Create a Decryption Policy with Outbound Connection Protection

This task discusses how to create a decryption policy with a rule that protects outbound connections; that is, the destination server is outside your protected network. This type of rule has a Decrypt - Resign rule action.

When you create a decryption policy, you can create multiple rules at the same time, including multiple Decrypt - Known Key rules and multiple Decrypt - Resign rules.

If you enabled Change Management, you must create and assign a ticket before you can create a decryption policy. Before the decryption policy can be used, the ticket and all associated objects (like certificate authorities) must be approved. For more information, see Creating Change Management Tickets and Policies and Objects that Support Change Management.

Before you begin

You can optionally must upload an internal CA certificate for your managed device before you can create a decryption policy that protects outbound connections. You can do this in any of the following ways:

Create an internal CA certificate object by going to Objects > Object Management > PKI > Internal CAs and referring to PKI.
At the time you create this decryption policy.

Procedure

Step 1	Log in to CDO if you haven't already done so.
Step 2	Click Tools & Services > Firewall Management Center > Policies > Access Control > Decryption.
Step 3	Click Create Decryption Policy.
Step 4	Give the policy a unique Name and, optionally, a Description.
Step 5	Click the Outbound Connections tab.
Step 6	From the Internal Certificates list, upload or choose certificates for the rules. For more information about internal certificates, see Generate an Internal CA for Outbound Protection and Upload an Internal CA for Outbound Protection.
Step 7	(Optional.) Choose networks and ports. For more information: Network Rule Conditions Port Rule Conditions
Step 8	Click Next.
Step 9	Continue with Decryption Policy Exclusions.
Step 10	Click Save.

What to do next

Add rule conditions: Decryption Rule Conditions
Add a default policy action: Decryption Policy Default Actions
Configure logging options for the default action .
Set advanced policy properties: Decryption Policy Advanced Options.
Associate the decryption policy with an access control policy as described in Associating Other Policies with Access Control.
Deploy configuration changes.