Decryption policy block connections

This topic provides details about how to block connections to servers with unsecure TLS versions and server certificate statuses while creating a decryption policy. The Block with Reset rules are created in your decryption policy that are disabled by default.

Procedure

Step 1

Complete the tasks mentioned in:

Step 2

The Blocking page provides the following options. By default, all the options are disabled for decryption policy actions.

Block connections based on TLS version—Check this check box to block connections to servers using unsecure TLS versions. By default, SSL v3.0, TLS v1.0, and TLS v1.1 which are known to be vulnerable, are selected. You can choose other versions from the drop-down list.
Block connections based on server certificate status—Check this check box to block connections to servers with unsecure server certificate statuses. By default, Invalid Signature, Expired, Not Yet Valid, and Invalid Certificate are selected. You can choose other statuses from the drop-down list.

Click Delete ( delete icon ) to remove the selections or click Reset to default to revert back to the default selections.

Step 3

Click Next.

What to do next

Continue with Decryption policy exclusions.