Exclude traffic from decryption for TLS inspection
Some traffic is automatically excluded from decryption. You can also exclude traffic from decryption globally, add rules to exclude specific traffic from decryption, or create specific lists of domains to exclude from decryption.
Traffic to and from some servers that use TLS can contain users’ personal information that is protected by laws related to the privacy of communications. Decrypting and inspecting this traffic might be illegal in some jurisdictions. Some connections or network applications also might not work correctly if the traffic is decrypted.
You can exclude traffic from decryption and inspection in several ways:
- Globally with a TLS Match element.
- For specific matching traffic with an HTTPS Inspection Exception element.
- For network applications that match the URL categories specified in the Private Data application usage tag. You can use the Private Data application usage tag in Access rules to
prevent the decryption of all traffic that matches the specified URL categories.Note: To use the Private Data application usage tag to exclude traffic from decryption, you must have a license for category-based URL filtering using the ThreatSeeker Intelligence Cloud service.
For more information, see Knowledge Base article 18074.
In all cases, traffic to the specified domains is allowed to pass through the engine without being decrypted.
TLS Matches define matching criteria for the use of the TLS protocol in traffic, and allow you to prevent specified traffic from being decrypted. TLS Matches that deny decrypting are applied globally, even if the TLS Match elements are not used in the policy. However, TLS Match elements that are used in specific Access rules can override globally applied TLS matches.
In most cases, TLS Matches are the recommended way to prevent traffic from being decrypted and inspected. Globally excluding domains from decryption might also prevent some Network Applications from being detected in encrypted connections. In this case, you can use HTTP Inspection Exceptions exclude the domain from TLS inspection.
The Decryption option in the Allow Action Options in Access rules defines whether traffic that matches the rule is decrypted. To exclude specific traffic from decryption for TLS inspection, add the following type of Access rule:
Source | Destination | Service | Action |
---|---|---|---|
Source IP address | Destination IP address | One or more of the following Service elements:
|
Allow Decryption: Disallowed |
HTTPS Inspection Exceptions are used in a custom HTTPS service to define a list of domains for which HTTPS traffic is not decrypted. The custom HTTPS service must be used in a rule, and only traffic that matches the rule is excluded from decryption and inspection. HTTPS Inspection Exceptions are primarily intended for backwards compatibility.
Starting from version 6.11 the Secure SD-WAN Engine supports fetching the destination server certificates actively when inspecting TLS traffic. If the option Active destination server certificate probing is enabled in SMC and a client tries to open a TLS connection through the Secure SD-WAN Engine to a destination server the Secure SD-WAN Engine will first check whether it already has a cached copy of the server certificate available. If the certificate is not available in cache, it will open a separate connection to the destination server and fetch the certificate. If the Secure SD-WAN Engine is successful in obtaining the server certificate it will cache the server certificate along with the server endpoint information for future TLS connections to the same server endpoint.