Example: Preventing decryption of private connections

In this example, a company uses category-based URL filtering to prevent connections to online banking services from being decrypted.

The company uses several different online banking services for business purposes. It also allows users in the company network to connect to personal online banking services. The company does not want connections to any online banking services to be decrypted for TLS inspection.

Because URLs can be categorized based on the server name information (SNI) in HTTPS traffic, connections to online banking services can be identified without decrypting the traffic. Options in the Access rules specify whether decryption is allowed for matching traffic.

To identify connections to online banking services and prevent them from being decrypted, the administrators:

1. Add the following type of Access rule.

   Table 1. Rule to prevent decryption of private communications

   Source	Destination	Service	Action
   ANY	ANY	Financial Data and Services URL Category	Allow

2. Edit the action options and select Disallowed for the Decryption option.
3. Save and install the policy.