Two types of traffic are unsuitable for decryption:

The firewall provides a predefined SSL Decryption Exclusion list (Device > Certificate Management > SSL Decryption Exclusion) for commonly used sites that break decryption because of technical reasons. You can remove predefined sites from the list by clicking the checkbox next to the site hostname and then clicking Disable, and you can add sites to the list. Use the Decryption Exclusion list only for sites that break decryption for technical reasons, don’t use it for sites that you choose not to decrypt. If decryption breaks an important application, add it to the Decryption Exclusion list to create an exception for the specific IP address, domain, or common name in the certificate associated with the application. Some internal custom applications may break if you decrypt them.

If the Decryption profile allows Unsupported Modes (sessions with client authentication, unsupported versions, or unsupported cipher suites), the firewall automatically adds servers and applications that use the allowed unsupported modes to the its Local Decryption Exclusion Cache (DeviceCertificate ManagementSSL Decryption ExclusionShow Local Exclusion Cache). When you block unsupported modes, you increase security but you also block communication with applications that use those modes.

You may choose not to decrypt traffic for reasons such as regulations and legal compliance. For example, the European Union (EU) General Data Protection Regulation (GDPR) will require strong protection of all personal data for all individuals. The GDPR affects all companies, including foreign companies, that collect or process the personal data of EU residents. Different regulations and compliance rules may mean that you treat the same data differently in different countries or regions. Businesses usually can decrypt personal information in their corporate data centers because the business owns the information. The best practice is to decrypt as much traffic as possible so that you can see it and apply security protection to it.

For traffic you choose not to decrypt, make sure it really is traffic you don’t want to decrypt, and then create a policy-based exclusion that specifies the application, user group, source and destination, URL category, and/or service to limit each exclusion as much as possible. The more specific the decryption exclusion, the better, so that you don’t inadvertently exclude more traffic than necessary from decryption.