Manage Traffic Decryption

Decryption is used for various purposes in Secure Access. You will configure decryption when you configure those features.

Table of Contents

Internet Access Features Requiring Decryption

The following features require decryption or do not work effectively on encrypted traffic:

  • Intrusion prevention (IPS) for traffic to internet destinations
    Traffic must be decrypted in order to inspect HTTPS traffic for known threats and behaviors.
  • Web security (configured in web profiles)
    Decryption is required for inspection by the security and acceptable use features. In general, the web profile specified in any internet access rule should have decryption enabled, unless the destinations are trusted.
  • File inspection and analysis and enforcement of file type controls
    See Manage File Inspection and File Analysis and Manage File Type Control.
  • Destinations that are derived from SAML configurations
  • Remote browser isolation (RBI)
    If you choose Isolate as the rule action in an internet access rule, affected traffic must be decrypted. Enable decryption in the web profile that you choose for that rule.
  • Displaying block and warning notifications to end users
    When a destination triggers a warning page, users can only access that destination by clicking the link in the warning notification.
    See Manage Notification Pages.
  • Tenant Controls
  • Advanced Application Controls.
  • Data Loss Prevention

Sites that use HTTP rather than HTTPS do not require decryption to benefit from the functionality listed above. However, most sites use HTTPS. Enforcement based on threat categories never requires decryption.

Internet Traffic That Should Not Be Decrypted

Certain traffic should not be decrypted for various reasons:

Traffic that should not be decryptedHow to Configure, and More Information
Traffic to confidential internet destinations, based on laws, regulations, or policySee Important Information About Do Not Decrypt Lists.
Sites with pinned certificates (for IPS)See Global Settings for Access Rules.
Sites with pinned certificates (for web security features)

Microsoft 365 applicationsSee Global Settings for Access Rules.
Trusted filesSee Advanced settings in the Security Controls section of each internet access rule.
This feature is sometimes called "Protected file bypass."

Decryption in Private Access Rules

Decryption is required for Intrusion prevention (IPS) for traffic to private destinations.
Traffic must be decrypted in order to inspect it for known threats and behaviors.

Traffic to private resources will be decrypted for inspection by the IPS feature only if decryption is enabled for that resource and the required certificate is present.

Traffic to private destinations that are not configured as private resources (that is, traffic to destinations that you type directly into an access rule) is not decrypted.

You will configure decryption for private resources when you configure the private resource.

See Add a Private Resource.

Decryption Settings

Decryption-specific settings appear in the following components:

Decryption Requires Certificates

In most cases, decryption requires uploading or installing certificates. For details, see Certificates for Internet Decryption.

Decryption Logging

Enable or disable decryption logging in Global Settings. See Edit Rule Defaults and Global Settings.

To view decryption logs, see Reports.

Troubleshooting Decryption

If you suspect decryption is causing issues, try the following:

Allow Users to Contact an Administrator < Manage Traffic Decryption > Important Information About Do Not Decrypt Lists