Globally exclude domains from decryption

TLS Match elements define matching criteria for the use of the TLS protocol in traffic, and allow you to prevent the specified traffic from being decrypted.

TLS Matches that deny decrypting are applied globally, even if the TLS Match elements are not used in the policy. However, TLS Match elements that are used in specific Access rules can override globally applied TLS matches.

In most cases, TLS Matches are the recommended way to prevent traffic from being decrypted and inspected. Globally excluding domains from decryption can also prevent some Network Applications from being detected in encrypted connections. In this case, you can exclude the domain from TLS inspection.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Other Elements > TLS Matches.
  3. Right-click TLS Matches, then select New TLS Match.
  4. In the Name field, enter a unique name.
  5. Select Deny Decrypting.
  6. From the Match Certificate Validation drop-down list, select Validation succeeded.
  7. Click Add, then specify the Matching Domains to exclude from decryption.
    We recommend adding the domain names that users access to guarantee that traffic is not decrypted. If no domains are specified, any connection for which validation succeeded is excluded from decryption.
  8. Click OK.
    Connections are excluded from decryption as specified in the TLS Matches.