Decryption
Decryption is necessary for proper functioning of all features enabled in the security profile, and for processing traffic to most internet destinations in general. When enabled, all internet traffic will be decrypted except as specified in the selected Do Not Decrypt list. For more information about decryption, see Manage Traffic Decryption.
Generally, you should disable decryption only if the security profile will be used in rules that:
- Have only destinations to which traffic should never be decrypted, for example for privacy or confidentiality reasons, such as medical or financial sites, for locations that regulate this traffic.
- Have sources that only include devices on which you cannot install certificates required to decrypt and inspect traffic, such as devices that are not managed by your organization, for example vendors' or contractors' devices.
- Have only sources that cannot respond to certificates required for decryption, such as IoT devices, printers, or kiosks
- Allow access to applications that will not work properly if decryption is enabled, including Microsoft 365 and applications that use certificate pinning.
- Include only known safe destinations.
For example, use this profile for rules that control access to the sites that IoT devices access in order to update their software.
If you enable decryption, you can opt not to decrypt traffic to specific destinations. For more information, see Important Information About Do Not Decrypt Lists.