Important Information About Do Not Decrypt Lists
Traffic that is not decrypted cannot be effectively inspected for threats.
However, in order to comply with confidentiality regulations in some locations, certain traffic should not be decrypted. You can use Do Not Decrypt lists to specify these destinations.
Do Not Decrypt lists apply only to destinations in internet access rules, and they are used for both web security and intrusion prevention (IPS) features.
Currently, IPS profiles and web profiles support Do Not Decrypt lists differently:
- All IPS profiles use a single Do Not Decrypt list.
- Each web profile can use any Do Not Decrypt list.
- The types of destinations that you can specify for IPS and web features are different. See the applicable sections below.
Do Not Decrypt List for IPS
Destinations on the system-provided Do Not Decrypt list are not decrypted for inspection by the intrusion prevention (IPS) feature.
All IPS profiles use the system-provided Do Not Decrypt list that ships with Secure Access. You can add destinations to this list.
To configure this list, navigate to Secure > Settings > Do Not Decrypt Lists.
About decryption in private access rules
Do not use the system-provided Do Not Decrypt list for private destinations. Instead, you can configure a private resource and not enable decryption for that resource. See Add Private Resources.
Do Not Decrypt Lists for Web
When a Do Not Decrypt list is associated with a web profile, destinations on the list will not be decrypted by the security and acceptable use features enabled in that profile.
Initially, the default Do Not Decrypt List for web profiles is the same system-provided Do Not Decrypt List that is used for IPS. You can either use this single list for both IPS and web security features, or you can create additional do-not-decrypt lists for use in web profiles. If you want to specify applications as destinations for web security features, create a custom Do Not Decrypt list and specify that list in the web profile. See Add a Do Not Decrypt List for Web Profiles.
Differences Between IPS and Web Destination Types
The types of destinations that you can choose not to decrypt is different for IPS and web security features:
| Applications | Sites that belong to specified Content Categories | Domains | |
|---|---|---|---|
| IPS | No | Yes | Yes |
| Web | Yes | Yes | Yes |
The System-Provided Do Not Decrypt List
The system-provided Do Not Decrypt list is the only list used by the IPS feature. The same list is the default list used by the web security features. The system-provided Do Not Decrypt list does not include the ability to specify applications; this option is available only in custom lists.
Initially, this list is empty. Add the destinations that are important to your organization.
Limitation: Do Not Decrypt Based on Content Category
While web site categorization is updated continuously, it is not possible to categorize all web sites on the internet, and some sites may be categorized incorrectly. Therefore, if you choose not to decrypt traffic based on content category, it is possible that traffic to sites that should not be decrypted may be decrypted, and traffic that should be decrypted may not be decrypted.
This limitation is not unique to Cisco.
Manage Traffic Decryption < Important Information About Do Not Decrypt Lists > Add a Do Not Decrypt List for Web Profiles
Updated 5 months ago