Manage Traffic Decryption
Decryption is used for various purposes in Secure Access. You will configure decryption when you configure those features.
Table of Contents
- Internet Access Features Requiring Decryption
- Internet Traffic That Should Not Be Decrypted
- Decryption in Private Access Rules
- Decryption Settings
- Decryption Requires Certificates
- Decryption Logging
- Troubleshooting Decryption
Internet Access Features Requiring Decryption
The following features require decryption or do not work effectively on encrypted traffic:
- Intrusion prevention (IPS) for traffic to internet destinations
Traffic must be decrypted in order to inspect HTTPS traffic for known threats and behaviors. - Web security (configured in web profiles)
Decryption is required for inspection by the security and acceptable use features. In general, the web profile specified in any internet access rule should have decryption enabled, unless the destinations are trusted. - File inspection and analysis and enforcement of file type controls
See Manage File Inspection and File Analysis and Manage File Type Control. - Destinations that are derived from SAML configurations
- Remote browser isolation (RBI)
If you choose Isolate as the rule action in an internet access rule, affected traffic must be decrypted. Enable decryption in the web profile that you choose for that rule. - Displaying block and warning notifications to end users
When a destination triggers a warning page, users can only access that destination by clicking the link in the warning notification.
See Manage Notification Pages. - Tenant Controls
- Advanced Application Controls.
- Data Loss Prevention
Sites that use HTTP rather than HTTPS do not require decryption to benefit from the functionality listed above. However, most sites use HTTPS. Enforcement based on threat categories never requires decryption.
Internet Traffic That Should Not Be Decrypted
Certain traffic should not be decrypted for various reasons:
| Traffic that should not be decrypted | How to Configure, and More Information |
|---|---|
| Traffic to confidential internet destinations, based on laws, regulations, or policy | See Important Information About Do Not Decrypt Lists. |
| Sites with pinned certificates (for IPS) | See Global Settings for Access Rules. |
| Sites with pinned certificates (for web security features) | N/A |
| Microsoft 365 applications | See Global Settings for Access Rules. |
| Trusted files | See Advanced settings in the Security Controls section of each internet access rule. This feature is sometimes called "Protected file bypass." |
Decryption in Private Access Rules
Decryption is required for Intrusion prevention (IPS) for traffic to private destinations.
Traffic must be decrypted in order to inspect it for known threats and behaviors.
Traffic to private resources will be decrypted for inspection by the IPS feature only if decryption is enabled for that resource and the required certificate is present.
Traffic to private destinations that are not configured as private resources (that is, traffic to destinations that you type directly into an access rule) is not decrypted.
You will configure decryption for private resources when you configure the private resource.
Decryption Settings
Decryption-specific settings appear in the following components:
- Web profile
- Do Not Decrypt Lists for Web Profiles
- Private Resource
- Global Settings
This setting affects decryption for Intrusion Prevention (IPS) only.
It applies to both private and internet destinations. - Internet access rules, Advanced settings section at the bottom of each rule
Decryption Requires Certificates
In most cases, decryption requires uploading or installing certificates. For details, see Certificates for Internet Decryption.
Decryption Logging
Enable or disable decryption logging in Global Settings. See Edit Rule Defaults and Global Settings.
To view decryption logs, see Reports.
Troubleshooting Decryption
If you suspect decryption is causing issues, try the following:
- Check decryption logs.
- Temporarily disable decryption globally for IPS, on the Global Settings page.
See Edit Rule Defaults and Global Settings. - Look at the options for traffic that should not be decrypted in the table above.
- See other troubleshooting topics in this guide. The issue may not be specifically related to decryption. For example, see Troubleshoot Private Access Rules and Troubleshoot Internet Access Rules.
Allow Users to Contact an Administrator < Manage Traffic Decryption > Important Information About Do Not Decrypt Lists
Updated 13 days ago