Even though the traffic is encrypted, you can protect
your network against sessions with expired certificates and untrusted
issuers for traffic you choose not to decrypt for legal, business,
or privacy reasons.
You create no-decryption policies for traffic
that you
choose not to decrypt because the traffic is personal,
sensitive, or subject to local laws and regulations. For example,
you may choose not to decrypt the traffic of certain executives
or traffic between finance users and finance servers that contain personal
information. (Don’t exclude traffic that you can’t decrypt because
a site breaks decryption for technical reasons such as a pinned
certificate or mutual authentication by policy. Instead, add the
hostname to the
Decryption Exclusion List.)
However,
just because you don’t decrypt the traffic doesn’t mean you should
let any and all undecrypted traffic on your network. It is a best
practice to apply a No Decryption profile to undecrypted traffic
to block sessions with expired certificates and untrusted issuers.
