Manage Traffic Decryption
Decryption is used for various purposes in Secure Access. You will configure decryption when you configure those features.
Table of Contents
- Internet Access Features Requiring Decryption
- Internet Traffic That Should Not Be Decrypted
- Decryption in Private Access Rules
- Decryption Settings
- Decryption Requires Certificates
- Decryption Logging
- Troubleshooting Decryption
Internet Access Features Requiring Decryption
The following features require decryption or do not work effectively on encrypted traffic:
- Intrusion prevention (IPS) for traffic to internet destinations
Traffic must be decrypted in order to inspect HTTPS traffic for known threats and behaviors. - File inspection and analysis.
See Manage File Inspection and File Analysis. - Destinations that are derived from SAML configurations
- Displaying block notifications to end users
When a destination triggers a block page, users can not access that destination and can be redirected to a custom page.
See Manage Notification Pages. - Data Loss Prevention
Sites that use HTTP rather than HTTPS do not require decryption to benefit from the functionality listed above. However, most sites use HTTPS. Enforcement based on threat categories never requires decryption.
Internet Traffic That Should Not Be Decrypted
Certain traffic should not be decrypted for various reasons:
| Traffic that should not be decrypted | How to Configure, and More Information |
|---|---|
| Traffic to confidential internet destinations, based on laws, regulations, or policy | See Important Information About Do Not Decrypt Lists. |
| Sites with pinned certificates (for IPS) | See Global Settings for Access Rules. |
| Sites with pinned certificates (for web security features) | N/A |
| Microsoft 365 applications | See Global Settings for Access Rules. |
Decryption in Private Access Rules
Decryption is required for Intrusion prevention (IPS) for traffic to private destinations.
Traffic must be decrypted in order to inspect it for known threats and behaviors.
Traffic to private resources will be decrypted for inspection by the IPS feature only if decryption is enabled for that resource and the required certificate is present.
Traffic to private destinations that are not configured as private resources (that is, traffic to destinations that you type directly into an access rule) is not decrypted.
You will configure decryption for private resources when you configure the private resource.
Decryption Settings
Decryption-specific settings appear in the following components:
- Private Resource
- Global Settings
This setting affects decryption for Intrusion Prevention (IPS) only.
It applies to only private destination. - Internet access rules, Advanced settings section at the bottom of each rule
Decryption Requires Certificates
In most cases, decryption requires uploading or installing certificates. For details, see Certificates for Internet Decryption.
Decryption Logging
Enable or disable decryption logging in Global Settings. See Edit Rule Defaults and Global Settings.
To view decryption logs, see Reports.
Troubleshooting Decryption
If you suspect decryption is causing issues, try the following:
- Check decryption logs.
- Temporarily disable decryption globally for IPS, on the Global Settings page.
See Edit Rule Defaults and Global Settings. - Look at the options for traffic that should not be decrypted in the table above.
- See other troubleshooting topics in this guide. The issue may not be specifically related to decryption. For example, see Troubleshoot Private Access Rules and Troubleshoot Internet Access Rules.
Notification Pages IP Addresses < Manage Traffic Decryption > Important Information About Do Not Decrypt Lists
Updated 7 months ago