Bypass traffic when decrypting

This topic discusses ways you can optionally bypass traffic from being decrypted (meaning, the traffic is passed through the device encrypted). You can review some reasons to leave traffic encrypted here: When to decrypt traffic, when not to decrypt. Bypassing certain traffic has the additional advantage that system resources are not consumed by decrypting it.

We provide the following ways to bypass traffic when decrypting:

• Bypass source and destination networks: For example, traffic from internal servers located on an internal/DMZ network that you can trust doesn't need to be decrypted.

• Bypass users: You can bypass decryption for users and groups you trust.

• Bypass undecryptable applications: (Recommended.) The typical reason to bypass outgoing traffic to applications is this traffic might use certificate pinning, which is not decryptable.

  For more information, see About TLS/SSL pinning.

• Bypass categories: (Recommended.) Bypass decrypting URL categories of sites for the following reasons:

  • The categories represent applications (like personal finance or health) that might be illegal to decrypt and inspect.

  • Categories of websites Cisco has determined are low-risk.

• Intelligent decryption bypass: Bypass servers based on the threat confidence levels of clients which is determined by the Encrypted Visibility Engine (EVE) and the URL category reputation.

  All devices to which a standard decryption policy with this option enabled are deployed must run version 7.7 or later; otherwise, policy deployment fails.