Standard decryption policies
A standard decryption policy is a decryption policy type that is simpler to set up than other policy types and optimizes network performance by reducing processing load.
Benefits of standard decryption policies
Traffic decryption requires significant processing and decrypting too much traffic can slow down your system. The standard decryption policy type helps minimize issues commonly experienced by customers by preventing excessive traffic decryption.
Decryption policy types
Decryption policy types include standard decryption policies and rule-based decryption policies.
Standard decryption policies
We recommend the standard decryption policy type because it's easy to set up with a wizard-like appearance, enabling you to easily pick security zones, users and networks, and other objects to use in your policy. A standard decryption policy is particularly suitable for users who are not familiar with the complexities of decryption policies.
This section provides an example of setting up a standard decryption policy.
This policy decrypts outbound traffic only. All traffic from the OutsideZone security zone on any IPv4 network is decrypted
using an internal CA named IntCA.
Key points about decryption policies include:
-
The rule is a partial example; more options are available.
-
You can configure inbound criteria, outbound criteria, or both.
-
In addition to objects, you can also optionally configure outbound decryption exclusions, such as:
-
Undecryptable applications (such as ones that use certificate pinning).
-
URL categories such as medical, trading, and finance.
-
-
You can configure outbound block criteria for certificate status and TLS version.
-
A standard policy has advanced policy options that are similar to rule-based policies.
Rule-based decryption policies
Rule-based decryption policies are created using a wizard that guides you through the available options for inbound decryption, outbound decryption, or both. After you create the rule-based decryption policy, you can add more rules to it, reorder rules, or make other changes to suit your needs.
A rule-based decryption policy is the most flexible but also the most potentially complicated. You can convert a standard decryption policy to a rule-based policy at any time.
Standard decryption policy deployment issues to versions earlier than 10.0.0
If you deploy a standard decryption policy to a device that runs a version earlier than 10.0.0, you can encounter compatibility issues.
-
If you configured any inbound decryption rules, the rule action is changed to Decrypt - Known Key on those devices. For more information about the kinds of incoming decryption actions, see Incoming traffic decryption.
-
The advanced policy option Intelligent Decryption Bypass requires the device to run version 7.7 or later. By default, this advanced option is disabled. If enabled, policy deployment fails when the device runs a version earlier than 7.7.






)
Feedback