Set Default Handling for Undecryptable Traffic

You can set undecryptable traffic actions at the decryption policy level to handle certain types of encrypted traffic the system cannot decrypt or inspect. When you deploy a decryption policy that contains no decryption rules, the undecryptable traffic actions determine how all undecryptable encrypted traffic on your network is handled.

Depending on the type of undecryptable traffic, you can choose to:

  • Block the connection.

  • Block the connection, then reset it. This option is preferrable for connectionless protocols like UDP, which keep trying to connect until the connection is blocked.

  • Inspect the encrypted traffic with access control.

  • Inherit the default action from the decryption policy.

Procedure

Step 1

Click Policies > Access Control > Decryption.

Step 2

Click Edit (edit icon) next to the name of the decryption policy.

Step 3

In the decryption policy editor, click Undecryptable Actions.

Step 4

For each field, choose either the decryption policy's default action or another action you want to take on the type of undecryptable traffic. See Default Handling Options for Undecryptable Traffic and Decryption Policy Default Actions for more information.

Step 5

Click Save to save the policy.

What to do next

  • Configure default logging for connections handled by the undecryptable traffic actions.

  • Deploy configuration changes.