Exclude traffic from decryption for TLS inspection

Some traffic is automatically excluded from decryption. You can also exclude traffic from decryption globally, add rules to exclude specific traffic from decryption, or create specific lists of domains to exclude from decryption.

Traffic to and from some servers that use TLS can contain users’ personal information that is protected by laws related to the privacy of communications. Decrypting and inspecting this traffic might be illegal in some jurisdictions. Some connections or network applications also might not work correctly if the traffic is decrypted.

You can exclude traffic from decryption and inspection in several ways:

  • Globally with a TLS Match element.
  • For specific matching traffic with an HTTPS Inspection Exception element.
  • For network applications that match the URL categories specified in the Private Data application usage tag. You can use the Private Data application usage tag in Access rules to prevent the decryption of all traffic that matches the specified URL categories.
    Note: To use the Private Data application usage tag to exclude traffic from decryption, you must have a license for category-based URL filtering using the ThreatSeeker Intelligence Cloud service.

    For more information, see Knowledge Base article 18074.

In all cases, traffic to the specified domains is allowed to pass through the engine without being decrypted.

The NGFW Engine mainly matches the specified domains based on the server name information (SNI) in the TLS Client Hello packet before the server certificate is sent. You can also use category-based URL filtering to exclude all traffic in the selected URL Categories from decryption based on the SNI in the traffic.
Note: If the end user’s browser does not use SNI, the traffic might be decrypted.

TLS Matches define matching criteria for the use of the TLS protocol in traffic, and allow you to prevent specified traffic from being decrypted. TLS Matches that deny decrypting are applied globally, even if the TLS Match elements are not used in the policy. However, TLS Match elements that are used in specific Access rules can override globally applied TLS matches.

In most cases, TLS Matches are the recommended way to prevent traffic from being decrypted and inspected. Globally excluding domains from decryption might also prevent some Network Applications from being detected in encrypted connections. In this case, you can use HTTP Inspection Exceptions exclude the domain from TLS inspection.

The Decryption option in the Allow Action Options in Access rules defines whether traffic that matches the rule is decrypted. To exclude specific traffic from decryption for TLS inspection, add the following type of Access rule:

Source Destination Service Action
Source IP address Destination IP address One or more of the following Service elements:
  • HTTPS (with decryption)
  • HTTPS (SafeSearch with decryption)
  • A custom Service element that uses the HTTPS Protocol
 Allow

Decryption: Disallowed

HTTPS Inspection Exceptions are used in a custom HTTPS service to define a list of domains for which HTTPS traffic is not decrypted. The custom HTTPS service must be used in a rule, and only traffic that matches the rule is excluded from decryption and inspection. HTTPS Inspection Exceptions are primarily intended for backwards compatibility.