An engineer is configuring SSL Forward Proxy decryption for internal users. The firewall must decrypt traffic to all external HTTPS sites except specific financial services domains that require end-to-end encryption. Which best practice should the engineer implement to achieve this?
Trap 1: Disable decryption globally and create a custom URL category for…
Disabling globally would prevent decryption of all traffic, including the financial domains if not correctly handled, and the approach is not typical.
Trap 2: Upload the server certificates for the financial domains to the…
Uploading server certificates is not required for no-decrypt; the decryption profile does not have a 'no-decrypt' setting per domain.
Trap 3: Configure a single Decryption Policy rule with a 'decrypt' action…
'decrypt' is not a valid action; the correct action is 'ssl-decrypt'. Also, excluding certificates is not the intended method for skipping decryption.
- A
Disable decryption globally and create a custom URL category for the financial domains to enable decryption only for those.
Why wrong: Disabling globally would prevent decryption of all traffic, including the financial domains if not correctly handled, and the approach is not typical.
- B
Create two Decryption Policy rules: one with 'ssl-decrypt' action for the general category and a second rule with 'no-decrypt' action for the financial domains.
This allows decryption of most traffic while exempting the specified domains, following best practice.
- C
Upload the server certificates for the financial domains to the firewall and enable 'no-decrypt' on the Decryption Profile.
Why wrong: Uploading server certificates is not required for no-decrypt; the decryption profile does not have a 'no-decrypt' setting per domain.
- D
Configure a single Decryption Policy rule with a 'decrypt' action and add the financial domains to the 'Exclude Certificate' list.
Why wrong: 'decrypt' is not a valid action; the correct action is 'ssl-decrypt'. Also, excluding certificates is not the intended method for skipping decryption.