Manage Traffic Decryption

Decryption is used for various purposes in Secure Access. You configure decryption when you configure those features.

Table of Contents

Internet Access Features That Require Decryption

The following features require decryption or do not work effectively on encrypted traffic:

  • Intrusion prevention (IPS) for traffic to internet destinations
    Traffic must be decrypted to inspect HTTPS traffic for known threats and behaviors.
  • Security features configured in security profiles
    Decryption is required for inspection by the security and acceptable use features. The security profile specified in any internet access rule should have decryption enabled, unless the destinations are trusted.
  • File inspection and analysis and enforcement of file type controls
    See Manage File Inspection and File Analysis and Manage File Type Control.
  • Destinations that are derived from SAML configurations
  • Remote browser isolation (RBI)
    If you choose Isolate as the rule action in an internet access rule, affected traffic must be decrypted. Enable decryption in the security profile that you choose for that rule.
  • Displaying block and warning notifications to end users
    When a destination triggers a warning page, users can only access that destination by clicking the link in the warning notification.
    See Manage Notification Pages.
  • Tenant Controls
  • Advanced Application Controls.
  • Data Loss Prevention

Sites that use HTTP rather than HTTPS do not require decryption to benefit from the functionality listed above. However, most sites use HTTPS. Enforcement based on threat categories never requires decryption.

Internet Traffic That Should Not Be Decrypted

Traffic that should not be decryptedHow to Configure, and More Information
Traffic to confidential internet destinations, based on laws, regulations, or policySee Important Information About Do Not Decrypt Lists.
Sites with pinned certificates (for IPS)See Global Settings for Access Rules.
Sites with pinned certificates (for other features)N/A
Microsoft 365 applicationsSee Global Settings for Access Rules.
Trusted filesSee Advanced settings in the Security Controls section of each internet access rule.
This feature is sometimes called "Protected file bypass."

Traffic from certain sources, such as printers or IoT devices, on which certificates cannot be installedSee the Disable Decryption for Specific Sources section in Global Settings for Access Rules.

Decryption in Private Access Rules

Decryption is required for Intrusion prevention (IPS) for traffic to private destinations.
Traffic must be decrypted in order to inspect it for known threats and behaviors.

Traffic to private resources will be decrypted for inspection by the IPS feature only if decryption is enabled for that resource and the required certificate is present.

Decryption is also required for file inspection, file analysis, and file type blocking.

Traffic to private destinations that are not configured as private resources (that is, traffic to destinations that you type directly into an access rule) is not decrypted.

Configure decryption for private resources when you configure the private resource.

See Add a Private Resource.

Decryption Settings

Decryption-specific settings appear in the following components:

Decryption Requires Certificates

In most cases, decryption requires uploading or installing certificates. For internet traffic, see Certificates for Internet Decryption. For private destinations, see information on this page.

Decryption Logging

Enable or disable decryption logging in Global Settings. See Edit Rule Defaults and Global Settings.

To view decryption logs, see Reports.

Troubleshooting Decryption

If you suspect decryption is causing issues:


Allow Users to Contact an Administrator < Manage Traffic Decryption > Important Information About Do Not Decrypt Lists