The firewall decrypts inbound and outbound
SSL/TLS traffic to inspect the traffic for threats. When you create
a Security policy rule that allows traffic and apply Security profiles
to the rule, create an analogous Decryption policy rule to decrypt
that traffic. If you don’t decrypt the traffic, the firewall can’t
use the Security profiles to inspect the traffic (you can’t inspect
what you can’t see). The firewall re-encrypts the traffic before
forwarding it. (See
SSL
Inbound Inspection and
SSL
Forward Proxy.) You can configure the firewall to verify
the revocation status of certificates used for decryption as follows.
Enabling revocation status verification
for SSL/TLS decryption certificates will add time to the process
of establishing the session. The first attempt to access a site
might fail if the verification does not finish before the session
times out. For these reasons, verification is disabled by default.