Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Create and Manage Secure Edge Decrypt Profiles

The decrypt profile is enabled as an application service within a security policy.

Create Decrypt Profiles

Ensure that you have a root certificate imported for the organization before you create a decrypt profile. You can import SSL certificates (root and trusted) from the Certificate Management page (Secure Edge > Service Management > Certificate Management) and associate the certificates with decrypt profiles.
  1. Select Secure Edge > Service Administration > Decrypt.
    The Decrypt Profiles page opens.
  2. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.).
    The Create Decrypt Profile page opens.
  3. Complete the configuration according to the following guidelines:
    Table 1: Fields on the Decrypt Profile Page

    Setting

    Guideline

    General Information

    Name

    Enter a unique name without spaces containing maximum 63 characters.

    The name can contain alphanumeric characters and special characters such as hyphens and underscores.

    Description

    Enter a description containing maximum 255 characters.

    Root certificate

    Select or add a root certificate. In a public key infrastructure (PKI) hierarchy, the root certificate authority (CA) is at the top of the trust path.

    Note:

    To select the root certificate from the device, you must ensure that at least one trusted certificate is installed on the device.

    Exempted URL categories

    Select the previously defined URL categories to create allowlists that bypass decrypt processing. The selected URL categories are exempted during SSL inspection.

    Note:

    You can also add URL categories by clicking the plus icon (Blue plus symbol suggesting an action like adding or expanding content.) to open the Create URL Category page. See Create a URL Category.

    Exempted addresses

    Select the previously defined addresses to create allowlists that bypass decrypt processing. The selected addresses are exempted during SSL inspection.

    Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass decrypt processing for some sessions.

    Such sessions typically include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under allowlists.

    Note:

    You can also add addresses by clicking the plus icon (Blue plus symbol suggesting an action like adding or expanding content.) to open the Create Addresses page. See Create Addresses or Address Groups.
  4. Click OK.
An decrypt profile is created, and the Decrypt Profiles page opens displaying a confirmation message.

Manage Decrypt Profiles

  • Edit—Select the profile, and then click the pencil icon ().

  • Clone—Select the profile, and then click More > Clone.

  • Delete—Select the profile, and then click the trash can icon ().