Standard decryption policy advanced options

(Optional.) To set advanced decryption policy options, create or edit a standard decryption policy and expand Advanced Options. Advanced options are discussed in the following paragraphs.

We recommend setting all advanced options to their default values.

Bypass legacy Cisco undecryptable sites

Enable this option to bypass decryption for websites with Distinguished Names (DNs) that Cisco has determined are undecryptable. To view the list of DNs, go to Objects > Object Management > Distinguished Name > Object Groups.

Require exact certificate match for inbound decryption

Enable this option to require the use of the internal server's certificate in the decryption policy (this option is referred to as known key decryption). The default is to use a different certificate, which is more convenient for replacing the policy's certificate when needed. For more information, see Incoming traffic decryption actions.

Enable adaptive TLS server identity probe

Automatically enabled when TLS 1.3 decryption is enabled. A probe is a partial TLS connection with the server, the purpose of which is to obtain the server certificate and cache it. (If the certificate is already cached, the probe is never established.)

If TLS 1.3 Server Identity Discovery is disabled on the access control policy with which the decryption policy is associated, we attempt to use the Server Name Indication (SNI), which is not as reliable.

The adaptive TLS server identity probe occurs on any of the following conditions as opposed to on every connection as in earlier releases:

Certificate Issuer—Matched when the value of Issuer DNs in a decryption rule's DN rule condition is matched.

For more information, see Distinguished Name (DN) rule conditions.
Certificate Status—Matched when any of the Cert Status conditions are matched in a decryption rule.

For more information, see Certificate Status Decryption Rule Conditions.
Internal/External Certificate—Internal certificates can be matched by the certificate used in Decrypt - Known Key rule actions; external certificates can be matched in Certificates rule conditions.

For more information, see Known Key Decryption (Incoming Traffic) and Certificate rule conditions.
Application ID—Can be matched by Applications rule conditions in either an access control policy or a decryption policy.

For more information, see Application rule conditions.
URL Category—Can be matched by URLs rule conditions in an access control policy.

For more information, see URL Rule Conditions.

Note

Enable adaptive TLS server discovery mode is not supported on any Secure Firewall Threat Defense Virtual deployed to AWS. If you have any such managed devices managed by the Cisco Security Cloud Control, the connection event PROBE_FLOW_DROP_BYPASS_PROXY increments every time the device attempts to extract the server certificate.

Logging options

To expedite troubleshooting and to inform yourself about how your decryption policies are working, we recommend you enable all logging options: bypassed traffic, decrypted traffic, and blocked traffic.

Enable QUIC Decryption

Whether to apply decryption rules to connections that use the HTTP/3 over the QUIC protocol. When you decrypt QUIC connections, the system can inspect the contents of the sessions for intrusions, malware, or other issues. You can also apply granular control and filtering of decrypted QUIC connections based on specific criteria in the access control policy. QUIC support is in line with RFC 9000, 9001, 9002, 9114, 9204.

Consider the following when implementing QUIC decryption:

On high availability or clustered devices, QUIC decryption works only if the connection remains on the same node. If the connection fails over, or is forwarded to another node, the connection drops and must be re-established. Multi-instance is supported without restrictions.
Rules that apply to QUIC traffic would include the UDP protocol with destination port 443.
Access control rules that apply to QUIC traffic would include the HTTP/3 or QUIC protocols, either explicitly or by implication.

The following limitations apply to QUIC decryption:

QUIC decryption applies to Firewall Threat Defense 7.6+ only. Devices running a lower release cannot decrypt QUIC connections.
Connections from browsers using the Chromium stack (Google Chrome, Opera, Edge) cannot be decrypted for outbound traffic. But inbound traffic from the same browsers can be decrypted.
Connection Migration as described in RFC 9000 is not supported. The concept of Connection ID in QUIC allows endpoints to retain the same connection in the event of address change.
Key update, session resumption, and QUIC version 2 are not supported.
Interactive Block and Interactive Block with Reset (in access control rules) is not supported. These actions will work as Block and Block with Reset.
The active connection-ID per connection is limited to 5. If necessary, you can modify these limits using the system support quic-tuning and system support quic-tuning-reset commands in the device CLI.

Enable TLS 1.3 Decryption

Whether to apply decryption rules to TLS 1.3 connections. If you do not enable this option, the decryption rules apply to TLS 1.2 or lower traffic only. See TLS 1.3 decryption best practices.

Save the policy

After you have configured advanced policy options, see Decryption policy actions.