Configure Decryption Exceptions
You can purposefully exclude traffic from decryption based on source, destination, URL category, and service (ports and protocols). You can also exclude a specific server from decryption. See the following topics to configure Decryption Exceptions:
Exclude Traffic from Decryption
To exclude traffic from decryption, create a decryption policy rule and set the policy action to No Decrypt. Exclude traffic from decryption based on application, source, destination, URL category, and service (ports and protocols). Because policy rules are compared against incoming traffic in sequence, make sure that a decryption exclusion rule is listed first in your decryption policy.
Exclude Traffic from a Decryption Policy
Exclude traffic from decryption based match criteria. This example shows how to exclude traffic categorized as financial or health-related from SSL Forward Proxy decryption. Select Policies > Decryption and modify or Create a Decryption Policy rule. Define the traffic that you want to exclude from decryption. In this example: Give the rule a descriptive Name, such as No-Decrypt-Finance-Health. Set the Source and Destination to Any to apply the No-Decrypt-Finance-Health rule to all SSL traffic destined for an external server. Select URL Category and Add the URL categories financial-services and health-and-medicine. Select Options and set the rule to No Decrypt. (Optional) You can still use a decryption profile to validate certificates for sessions the firewall does not decrypt. Attach a decryption profile to the rule that is set to Block sessions with expired certificates and/or Block sessions with untrusted issuers. Click OK to save the No-Decrypt-Finance-Health decryption rule.
Place the decryption exclusion rule at the top of your decryption policy. Decryption rules are enforced against incoming traffic in sequence and the first rule to match to traffic is enforced—moving the No Decrypt rule to the top of the rule list ensures that the traffic matched to the rule remains encrypted, even if the traffic is later matched to other decryption rules. On the Decryption > Policies page, select the policy No-Decrypt-Finance-Health, and click Move Up until it appears at the top of the list (or you can drag and drop the rule).
Commit the configuration.
Exclude a Server from Decryption
You can exclude server traffic from SSL decryption based on the common name (CN) in the server certificate. For example, if you have SSL decryption enabled, you could configure a decryption exception for the server on your corporate network that hosts the web services for your HR systems.
Exclude a Server from Decryption
Import the targeted server certificate onto the firewall: On the Device > Certificate Management > Certificates > Device Certificates tab, select Import. Enter a descriptive Certificate Name. Browse for and select the targeted server Certificate File. Click OK.
Select the targeted server certificate on the Device Certificates tab and enable it to be an SSL Exclude Certificate. When the targeted server certificate is designated as an SSL Exclude Certificate, the firewall does not decrypt the server traffic even if the traffic matches decryption policy rule.

Related Documentation