Configure Decryption Exceptions
You can purposefully exclude traffic from decryption based on matching criteria, such the traffic’s source, destination, URL category, or service. You can also exclude a specific server’s traffic from decryption. See the following topics to configure Decryption Exceptions:
Exclude Traffic From Decryption
To purposefully exclude applications or certain traffic from other existing SSL or SSH decryption policies, you can create a new decryption policy that defines the traffic to exclude from decryption with the No Decrypt action selected in the policy. You can define traffic for policy-based exclusion according to matching criteria, such as source, destination, URL categories, or the service (port or protocol). Make sure the decryption policy that excludes traffic from decryption is listed first in your decryption policy list by dragging and dropping the policy above the other decryption policies.
See the following procedure to configure a decryption policy that excludes traffic from SSL or SSH decryption.
Exclude Traffic from a Decryption Policy
Create a decryption policy. Use a decryption policy to exclude traffic from decryption according to the traffic’s source and destination zones or addresses and URL categories. This example shows how to exclude traffic categorized as financial or health-related from SSL Forward Proxy decryption. Go to Policies > Decryption and click Add. Give the policy a descriptive Name, such as No-Decrypt-Finance-Health. On the Source and Destination tabs, select Any for the Source Zone and Destination Zone to apply the No-Decrypt-Finance-Health rule to all SSL traffic destined for an external server. On the URL Category tab, Add the URL categories financial-services and health-and-medicine to the policy, specifying that traffic that matches these categories will not be decrypted. On the Options tab, select No Decrypt and select the Type of decryption policy you are excluding the traffic from. For example, to exclude traffic categorized as financial or health-related from a separately configured SSL Forward Proxy decryption policy, select SSL Forward Proxy as the Type. Click OK to save the No-Decrypt-Finance-Health decryption policy.
Move the decryption policy to the top of the list of decryption policies. On the Decryption > Policies page, select the policy No-Decrypt-Finance-Health, and click Move Up until it appears at the top of the list (or you can drag and drop). The order in which the decryption policies are listed is the order in which they are applied to network traffic. Moving the policy with the No Decrypt action applied to the top of the list ensures that the specified traffic is not decrypted according to another configured policy.
Commit the configuration. A decryption policy with No Decrypt enabled ensures that the specified traffic is remains encrypted as it flows through the firewall, and that the traffic is not decrypted according to other decryption policies configured and listed on the Policies > Decryption page.
Exclude a Server From Decryption
You can exclude a targeted server’s traffic from SSL decryption based on the Common Name (CN) in the server’s certificate. For example, if you have SSL decryption enabled, you could configure a decryption exception for the server on your corporate network that hosts the web services for your HR systems. See the following procedure to configure a server’s certificate so that the targeted server’s traffic is excluded from decryption:
Exclude a Server from Decryption
Import the targeted server’s certificate onto the firewall: On the Device > Certificate Management > Certificates > Device Certificates tab, select Import. Enter a descriptive Certificate Name. Browse for and select the targeted server’s Certificate File. Click OK.
Select the targeted server’s certificate on the Device Certificates tab and enable it as an SSL Exclude Certificate. With the targeted server’s certificate imported on the firewall and designated as an SSL Exclude Certificate, the server’s traffic is not decrypted as it passes through the firewall.

Related Documentation