Prepare to Deploy Decryption
Proper preparation makes deploying decryption much easier
and smoother because everyone from IT to executives to the user
base is educated and ready for the changes.
The most time-consuming part of deploying decryption
isn’t configuring the decryption policies and profiles, it’s preparing
for the deployment by working with stakeholders to decide what traffic
to decrypt and not to decrypt, educating your user population about
changes to website access, developing a private key infrastructure
(PKI) strategy, and planning a staged, prioritized rollout.
Set goals for decryption and review
Decryption planning best practices
checklist to ensure that you understand the recommended best
practices. The best practice goal is to decrypt as much traffic
as your firewall resources permit and decrypt the most important
traffic first.
Migrate from port-based to application-based
Security policy rules before you create
and deploy Decryption policy rules. If you create Decryption rules
based on port-based Security policy and then migrate to application-based
Security policy, the change could cause the Decryption rules to
block traffic that you intend to allow because Security policy rules
are likely to use application default ports to prevent application
traffic from using non-standard ports. For example, traffic identified
as web-browsing application traffic (default port 80) may have underlying
applications that have different default ports, such as HTTPS traffic
(default port 443). The application-default rule blocks the HTTPS
traffic because it sees the decrypted traffic using a “non-standard”
port (443 instead of 80). Migrating to App-ID based rules before deploying
decryption means that when you test your decryption deployment in
POCs, you’ll discover Security policy misconfiguration and fix it
before rolling it out to the general user population.
To prepare to deploy Decryption: