Guides
Secure Access Help Center

Important Information About Do Not Decrypt Lists

Traffic that is not decrypted cannot be effectively inspected for threats.

However, in order to comply with confidentiality regulations in some locations, certain traffic should not be decrypted. You can use Do Not Decrypt lists to specify these destinations.

Do Not Decrypt lists apply only to destinations in internet access rules, and they are used for intrusion prevention (IPS) features.

Do Not Decrypt List for IPS

Destinations on the system-provided Do Not Decrypt list are not decrypted for inspection by the intrusion prevention (IPS) feature.

All IPS profiles use the system-provided Do Not Decrypt list that ships with Secure Access. You can add destinations to this list.

To edit this list, navigate to Secure > Do Not Decrypt Lists. To create a Do Not Decrypt List, see Add a Policy.

📘

About decryption in private access rules

Do not use the system-provided Do Not Decrypt list for private destinations. Instead, you can configure a private resource and not enable decryption for that resource. See Add Private Resources.

IPS Destination Types

The types of destinations that you can choose not to decrypt for IPS:

ApplicationsSites that belong to specified
Content Categories		Domains
IPS NoYesYes

The System-Provided Do Not Decrypt List

The system-provided Do Not Decrypt list is the only list used by the IPS feature. The system-provided Do Not Decrypt list does not include the ability to specify applications; this option is available only in custom lists.

Initially, this list is empty. Add the destinations that are important to your organization.

Limitation: Do Not Decrypt Based on Content Category

While web site categorization is updated continuously, it is not possible to categorize all web sites on the internet, and some sites may be categorized incorrectly. Therefore, if you choose not to decrypt traffic based on content category, it is possible that traffic to sites that should not be decrypted may be decrypted, and traffic that should be decrypted may not be decrypted.

This limitation is not unique to Cisco.

Manage Traffic Decryption < Important Information About Do Not Decrypt Lists > Manage Certificates

Updated 7 months ago