You can purposefully exclude traffic from decryption based on matching criteria, such the traffic’s source, destination, URL category, or service. You can also exclude a specific server’s traffic from decryption. See the following topics to configure
To purposefully exclude applications or certain traffic from other existing SSL or SSH decryption policies, you can create a new decryption policy that defines the traffic to exclude from decryption with the
action selected in the policy. You can define traffic for policy-based exclusion according to matching criteria, such as source, destination, URL categories, or the service (port or protocol). Make sure the decryption policy that excludes traffic from decryption is listed first in your decryption policy list by dragging and dropping the policy above the other decryption policies.
You can exclude a targeted server’s traffic from SSL decryption based on the Common Name (CN) in the server’s certificate. For example, if you have SSL decryption enabled, you could configure a decryption exception for the server on your corporate network that hosts the web services for your HR systems. See the following procedure to configure a server’s certificate so that the targeted server’s traffic is excluded from decryption: