Global Settings for Access Rules
Global Settings affect all rules of the applicable type (internet access rules and/or private access rules.)
Some global settings are intended only for troubleshooting purposes.
Change these settings only if you have good reason to do so.
To change these settings, see Edit Rule Defaults and Global Settings.
Global Settings for Access Rules
- Microsoft 365 Compatibility
- Decryption for IPS
- Disable Decryption for Specific Sources
- Decryption Logging
- Certificate Pinning
Secure Access Packages and Feature Availability
Not all of the features described here are available to all Secure Access packages. Information about your current package is listed on the Admin > Licensing page. For more information, see Determine Your Current Package. If you encounter a feature here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Secure Access Packages
Microsoft 365 Compatibility
This setting applies only to web security features, not to IPS.
The Microsoft 365 Compatibility feature exempts Microsoft 365-related domains, marked as Optimize and Allow in Microsoft's endpoint categories, to bypass inspection and policy enforcement by web security features, allowing traffic to those domains to pass through unaltered. The domains are excluded from HTTPS decryption and content filtering. The Microsoft 365 traffic appears in the Secure Access reports, however, since HTTPS inspection is disabled, traffic is logged only at the host/domain level and does not show the full URL.
Tenant Controls
If you use tenant controls for Microsoft 365, see additional information at Use Tenant Controls in Access Rules.
Limitations
- Microsoft 365 traffic is still sent to Secure Access's web proxy service in all deployment methods (Tunnel, AnyConnect, PAC). To stop this traffic from hitting Secure Access entirely, add manual 'External Domain' entries or route the traffic direct to the internet from your connecting devices.
- File Inspection will no longer apply to this traffic.
- This will not prevent the Microsoft 365 traffic egressing from a Secure Access IP address
- This does not apply to all Microsoft/Microsoft 365 domains. Only those categorized as important for performance by Microsoft.
- This setting allows a number of important Microsoft 365 domains so web security and filtering do not apply to them, and prevents these domains from triggering Secure Access SAML authentication.
Note: MS Intune sync requires "manage.microsoft.com" to be added to the Do Not Decrypt List(s) used in the relevant rules even when Microsoft365 Compatibility is enabled.
For more information, see the official Microsoft documentation.
Decryption for IPS
Generally, you will disable decryption for IPS only for troubleshooting purposes. Disabling decryption does not disable intrusion prevention, but decreases its effectiveness for encrypted traffic. This setting applies to both private access rules and internet access rules.
For information about other decryption settings, see Manage Traffic Decryption.
Disable Decryption for Specific Sources
To enable traffic from sources on which you cannot install certificates, such as Internet of Things (IOT) devices, disable decryption for traffic from these sources.
For information about other decryption settings, see Manage Traffic Decryption.
Decryption Logging
You can enable or disable decryption logging globally in Global Settings, for traffic to private resources or internet destinations or both.
Certificate Pinning
Certificate pinning is an Internet security mechanism which allows applications to resist impersonation against HTTPS servers using mis-issued or otherwise fraudulent digital certificates. However, if this security feature causes problems when users attempt to access destinations that are both essential and trusted, you may bypass this security feature for destinations that use certificate pinning.
Note: Normally, decryption must be bypassed for sites that use pinned certificates. However, for troubleshooting purposes, you can disable this behavior for intrusion prevention (IPS).
Rule Defaults: Default Settings for Access Rules < Manage Global Settings > Edit Rule Defaults and Global Settings
Updated 14 days ago