How to Configure Decryption Policies and Rules

This topic provides a high-level overview of tasks you must complete to configure decryption policies and decryption rules in those policies to block, monitor, or allow TLS/SSL traffic on your network.

You must be an Admin, Access Admin, or Network Admin to perform this task.

Procedure

Step 1	(Optional.) For Decrypt - Known Key decryption rules (to decrypt inbound traffic to an internal server), create an internal certificate object. The internal certificate object uses your server's certificate and private key. See Internal Certificate Objects.
Step 2	(Optional.) For Decrypt - Resign decryption rules (to decrypt outbound traffic to a server outside of your network), create an internal certificate authority (CA) object. The internal CA object uses a CA and private key. See Internal Certificate Authority Objects.
Step 3	For outbound protection policies (Decrypt - Resign) or inbound protection policies (Decrypt - Known Key), run the decryption policy wizard. Create a Decryption Policy with Outbound Connection Protection Create a Decryption Policy with Inbound Connection Protection
Step 4	For any other rule action (Do Not Decrypt, Block, Block with Reset, or Monitor), create a decryption policy and rules manually. See Create a Decryption Policy with Other Rule Actions.

What to do next

See one of the following: