Add block connections

This task discusses how to block connections based on either old SSL or TLS versions; or based on the server certificate status.

Note

Blocking affects all outbound connections and takes precedence over all other bypass and decryption conditions you choose.

Before you begin

Complete the tasks discussed in Create a standard decryption policy with outbound protection.

Procedure

Step 1

Locate the Block connections section.

Step 2

To block outbound traffic based on its SSL or TLS protcol version, slide Block based on TLS versions to Slider enabled (slider enabled).

Step 3

To block outbound traffic based on server certificate status, slide Block based on certificate status to Slider enabled (slider enabled).

Step 4

You have the following options:

  • From the list, select the check box next to an option to add that protocol or status to the policy.

  • Click x next to an item to remove it from the list.

  • Click Reset to default to return the list entries to their original values.

The following figure shows an example of blocking traffic with both TLS versions and server certificate status. Self-signed was added to the list of server certificates to block.

Example of blocking all traffic using unsecure ciphers like TLS 1.1 or unsafe certificate status like self-signed, expired, or not yet valid.

Step 5

If you're finished configuring your policy, see Decryption policy actions.