Prepare to Deploy Decryption
Focus
Focus

Prepare to Deploy Decryption

Table of Contents
End-of-Life (EoL)

Prepare to Deploy Decryption

Proper preparation makes deploying decryption much easier and smoother because everyone from IT to executives to the user base is educated and ready for the changes.
The most time-consuming part of deploying decryption isn’t configuring the decryption policies and profiles, it’s preparing for the deployment by working with stakeholders to decide what traffic to decrypt and not to decrypt, educating your user population about changes to website access, developing a private key infrastructure (PKI) strategy, and planning a staged, prioritized rollout.
Set goals for decryption and review Decryption planning best practices checklist to ensure that you understand the recommended best practices. The best practice goal is to decrypt as much traffic as your firewall resources permit and decrypt the most important traffic first.
Migrate from port-based to application-based Security policy rules before you create and deploy Decryption policy rules. If you create Decryption rules based on port-based Security policy and then migrate to application-based Security policy, the change could cause the Decryption rules to block traffic that you intend to allow because Security policy rules are likely to use application default ports to prevent application traffic from using non-standard ports. For example, traffic identified as web-browsing application traffic (default port 80) may have underlying applications that have different default ports, such as HTTPS traffic (default port 443). The application-default rule blocks the HTTPS traffic because it sees the decrypted traffic using a “non-standard” port (443 instead of 80). Migrating to App-ID based rules before deploying decryption means that when you test your decryption deployment in POCs, you’ll discover Security policy misconfiguration and fix it before rolling it out to the general user population.
To prepare to deploy Decryption: