Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
988
Views
0
Helpful
1
Replies

How to understand Decrypt, No Decrypt or Pass Through option ?

Go to solution
Rps-Cheers
VIP
VIP

‎10-17-2022 02:49 AM

How to understand Decrypt, No Decrypt or Pass Through option in Cisco SDWAN TLS/SSL Profile?

If you choose URLs, enter the following:

VPNs

TLS/SSL profile.

Enter a name for the profile.

Choose Decrypt, No Decrypt or Pass Through. Alternatively, you can choose multiple categories and set the action for all of them using the actions drop-down menu.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/m-ssl-proxy.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rps-Cheers
VIP
VIP

‎11-03-2022 08:19 PM

  • drop: If the verdict is drop, the hello packet from the client is dropped and the connection is reset.

 

  • do-not-decrypt: If the verdict is do-not-decrypt, the hello packet bypasses TLS proxy.

 

  • decrypt: If the verdict is decrypt, the packet is forwarded to the client and goes through the following:

 

TCP optimization for optimization of traffic

 

Decryption of encrypted traffic through TLS proxy

 

Threat inspection through UTD

 

Re-encryption of decrypted traffic through TLS proxy

 

Note        

If there is a delay in determining the decrypt status of the flow, the UTD configuration for fail-decrypt is exercised.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rps-Cheers
VIP
VIP

‎11-03-2022 08:19 PM

  • drop: If the verdict is drop, the hello packet from the client is dropped and the connection is reset.

 

  • do-not-decrypt: If the verdict is do-not-decrypt, the hello packet bypasses TLS proxy.

 

  • decrypt: If the verdict is decrypt, the packet is forwarded to the client and goes through the following:

 

TCP optimization for optimization of traffic

 

Decryption of encrypted traffic through TLS proxy

 

Threat inspection through UTD

 

Re-encryption of decrypted traffic through TLS proxy

 

Note        

If there is a delay in determining the decrypt status of the flow, the UTD configuration for fail-decrypt is exercised.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful
Top