Run the Decryption Policy Wizard

This task discusses how to run the decryption policy wizard for outbound traffic protection. This policy has four rules:

1. Do Not Decrypt rule for distinguished names that are known to be undecryptable, most likely because they use TLS/SSL pinning.

2. Do Not Decrypt rule for URL categories that we classify as sensitive based on their content (for example, medical and financial).

3. Do Not Decrypt rule for applications that are known to be undecryptable, most likely because they use TLS/SSL pinning.

4. Decrypt - Resign rule that uses a certificate authority object named IntCA to decrypt the remainder of the traffic.

You can then edit the rules if you want and also manually add:

• Decrypt - Resign rules for traffic to monitor and determine whether the traffic should be blocked in the future.

• Do Not Decrypt rules for other types of traffic

• Block or Block with Reset rules for bad certificates and unsecure cipher suites.

If you enabled Change Management, you must create and assign a ticket before you can create a decryption policy. Before the decryption policy can be used, the ticket and all associated objects (like certificate authorities) must be approved. For more information, see Creating Change Management Tickets and Policies and Objects that Support Change Management.