Attach Decryption profiles to Decryption policy rules
to control the protocol versions, algorithms, verification checks,
and session checks the firewall accepts for the traffic defined
in the policy rules.
A decryption profile allows you to perform
checks on both decrypted traffic and SSL traffic that you
choose to
exclude from
decryption. (If a server breaks SSL decryption technically due to
certificate pinning or other reasons, add the server to the Decryption
Exclusion list.)
Depending on your needs, create Decryption profiles to:
Block
sessions based on certificate status, including blocking sessions
with expired certificates, untrusted issuers, unknown certificate
status, certificate status check timeouts, and certificate extensions.
Block sessions with unsupported versions and cipher suites,
and that require using client authentication.
Block sessions if the resources to perform decryption are
not available or if a hardware security module is not available
to sign certificates.
Define the protocol versions and key exchange, encryption,
and authentication algorithms allowed for SSL Forward Proxy and
SSL Inbound Inspection traffic in the SSL Protocol Settings.
Don’t
weaken the main Decryption profile that you apply to most sites
to accommodate weaker sites. Instead, create one or more separate
Decryption profiles for sites that you need to support but that
don’t support strong ciphers and algorithms. You can also create
different Decryption profiles for different URL Categories to fine
tune security vs. performance for traffic that contains no sensitive
material; however, you should always decrypt and inspect all the
traffic you can.
After you create a decryption profile, attach
it to a decryption policy rule; the firewall then enforces the decryption
profile settings on traffic that matches the decryption policy rule.
Avoid supporting weak protocols or algorithms
because they contain known vulnerabilities that attackers can exploit.
If you must allow a weaker protocol or algorithm to support a key
partner or contractor who uses legacy systems with weak protocols,
create a separate Decryption profile for the exception and attach
it to a Decryption policy rule that applies the profile only to
the relevant traffic (for example, the source IP address of the
partner). Don’t allow the weak protocol for all traffic.