A security engineer notices that HTTPS traffic to a critical business application is being decrypted and re-encrypted, causing performance issues. The application uses a certificate from a public CA. The engineer wants to minimize decryption overhead while still inspecting for threats. Which decryption policy configuration best achieves this?
Trap 1: Create a decryption policy rule with action 'Decrypt' and a custom…
Decrypting all traffic adds overhead and is not minimized.
Trap 2: Create a decryption policy rule with action 'No Decrypt' and…
Disabling status check trusts all certificates, including potentially compromised ones.
Trap 3: Create a decryption policy rule with action 'Decrypt' and source…
Decrypting from untrust zone increases overhead and does not specifically address the application.
- A
Create a decryption policy rule with action 'Decrypt' and a custom URL category for the application.
Why wrong: Decrypting all traffic adds overhead and is not minimized.
- B
Create a decryption policy rule with action 'No Decrypt' and disable certificate status check.
Why wrong: Disabling status check trusts all certificates, including potentially compromised ones.
- C
Create a decryption policy rule with action 'No Decrypt' and enable 'Forward Trust Certificate' and 'Forward Untrust Certificate' with certificate status check.
This allows trusted certificates to pass without decryption, reducing overhead while still validating certificates.
- D
Create a decryption policy rule with action 'Decrypt' and source zone set to 'Untrust'.
Why wrong: Decrypting from untrust zone increases overhead and does not specifically address the application.