Important Information About Do Not Decrypt Lists
Traffic that is not decrypted cannot be effectively inspected for threats.
However, in order to comply with confidentiality regulations in some locations, certain traffic should not be decrypted. You can use Do Not Decrypt lists to specify these destinations.
Do Not Decrypt lists apply only to destinations in internet access rules, and they are used for intrusion prevention (IPS) and for features configured in security profiles.
Currently, IPS profiles and security profiles support Do Not Decrypt lists differently:
- All IPS profiles use a single Do Not Decrypt list.
- Each security profile for internet access can use any Do Not Decrypt list.
- The types of destinations that you can specify for IPS and for a security profile are different. See the applicable sections below.
Do Not Decrypt List for IPS
Destinations on the system-provided Do Not Decrypt list are not decrypted for inspection by the intrusion prevention (IPS) feature.
All IPS profiles use the system-provided Do Not Decrypt list that ships with Secure Access. You can add destinations to this list.
To configure this list, navigate to Secure > Settings > Do Not Decrypt Lists.
About decryption in private access rules
Do not use the system-provided Do Not Decrypt list for private destinations. Instead, you can configure a private resource and not enable decryption for that resource. See Add Private Resources.
Do Not Decrypt Lists for Security Profiles for Internet Access
When a Do Not Decrypt list is associated with a security profile for internet access, destinations on the list will not be decrypted by the security and acceptable use features enabled in that profile.
Initially, the default Do Not Decrypt List for security profiles is the same system-provided Do Not Decrypt List that is used for IPS. You can either use this single list for both IPS and security profiles, or you can create additional do-not-decrypt lists for use in security profiles. See Add a Do Not Decrypt List for Security Profiles for Internet Access.
Differences Between IPS and Features in Security Profiles
The types of destinations that you can choose not to decrypt is different for IPS and features configured in security profiles for internet access:
Applications | Sites that belong to specified Content Categories | Domains | |
---|---|---|---|
IPS | No | Yes | Yes |
Features in Security Profiles | Yes | Yes | Yes |
The System-Provided Do Not Decrypt List
The system-provided Do Not Decrypt list is the only list used by the IPS feature. The same list is the default list used by the features in the security profile for internet access. The system-provided Do Not Decrypt list does not include the ability to specify applications; this option is available only in custom lists.
Initially, this list is empty. Add the destinations that are important to your organization.
Limitation: Do Not Decrypt Based on Content Category
While web site categorization is updated continuously, it is not possible to categorize all web sites on the internet, and some sites may be categorized incorrectly. Therefore, if you choose not to decrypt traffic based on content category, it is possible that traffic to sites that should not be decrypted may be decrypted, and traffic that should be decrypted may not be decrypted.
This limitation is not unique to Cisco.
Manage Traffic Decryption < Important Information About Do Not Decrypt Lists > Add a Do Not Decrypt List for Secrity Profiles for Internet Access
Updated about 2 months ago