Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Create a Decrypt Profile

Use this page to configure decrypt profiles. decrypt profile is enabled as an application service within a security policy.

To create an decrypt profile:


Ensure that you have a root certificate imported for the tenant before you create an decrypt profile. You can import SSL certificates (root and trusted) from the Certificates page (Administration > Certificates) and associate the certificates with decrypt profiles.

  1. Select Security Subscriptions > Decrypt.

    The decrypt profiles page appears.

  2. Click the add icon (+) to create an decrypt profile.

    The Create Decrypt Profiles page appears.

  3. Complete the configuration according to the guidelines provided in Table 1.

    Fields marked with an asterisk (*) are mandatory.

  4. Click OK.

    An decrypt profile is created. You are returned to the decrypt Profiles page where a confirmation message is displayed.

    Table 1: decrypt profile Setting



    General Information


    Enter a unique name for the profile, which is string of alphanumeric characters and some special characters (- _). No spaces are allowed and the maximum length is 63 characters.


    Enter a description for the profile. The maximum length is 255 characters.

    Preferred Cipher

    Select a preferred cipher. Preferred ciphers enable you to define an SSL cipher that can be used with acceptable key strength. You can select from the following categories:

    • None (Default)—Do not specify a preferred cipher.

    • Medium—Use ciphers with key strength of 128 bits or greater.

    • Strong—Use ciphers with key strength of 168 bits or greater.

    • Weak—Use ciphers with key strength of 40 bits or greater.

    • Custom—Configure a custom cipher suite.

    Custom Ciphers

    If you specified Custom as the preferred cipher, you can define a custom cipher list by selecting ciphers.

    Select the set of ciphers that the SSH server can use to perform encryption and decryption functions.

    The available custom ciphers are:

    • rsa-with-RC4-128-md5—RSA, 128- bit RC4, MD5 hash

    • rsa-with-RC4-128-sha—RSA, 128-bit RC4, SHA hash

    • rsa-with-des-cbc-sha—RSA, DES/CBC, SHA hash

    • rsa-with-3DES-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash

    • rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash

    • rsa-with-aes-256-cbc-sha—RSA, 256 bit AES/CBC, SHA hash

    • rsa-export-with-rc4-40-md5—RSA-export, 40 bit RC4, MD5 hash

    • rsa-export-with-des40-cbc-sha—RSA-export, 40 bit DES/CBC, SHA hash

    • rsa-export1024-with-des-cbc-sha—RSA 1024 bit export, DES/CBC, SHA hash

    • rsa-export1024-with-rc4-56-md5—RSA 1024 bit export, 56 bit RC4, MD5 hash

    • rsa-export1024-with-rc4-56-sha—RSA 1024 bit export, 56 bit RC4, SHA hash

    • rsa-with-aes-256-gcm-sha384—RSA, 256 bit AES/GCM, SHA384 hash

    • rsa-with-aes-256-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

    • rsa-with-aes-128-gcm-sha256—RSA, 128 bit AES/GCM, SHA256 hash

    • rsa-with-aes-128-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

    • ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE, RSA, 256 bit AES/GCM, SHA384 hash

    • ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE, RSA, 256 bit AES/CBC, SHA384 hash

    • ecdhe-rsa-with-aes-256-cbc-sha—ECDHE, RSA, 256 bit AES/CBC, SHA hash

    • ecdhe-rsa-with-aes-3des-ede-cbc-sha—ECDHE, RSA, 3DES, EDE/CBC, SHA hash

    • ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE, RSA, 128 bit AES/GCM, SHA256 hash

    • ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE, RSA, 128 bit AES/CBC, SHA256 hash

    • ecdhe-rsa-with-aes-128-cbc-sha—ECDHE, RSA, 128 bit AES/CBC, SHA hash

    Flow Trace

    Move this toggle button to enable flow tracing for troubleshooting the policy-related issues.

    Root Certificate

    Select or add a root certificate. In a public key infrastructure (PKI) hierarchy, the root certificate authority (CA) is at the top of the trust path.


    To select the root certificate from the device, you must ensure that at least one trusted certificate is installed on the device.

    Trusted Certificate Authorities

    Choose whether you want to add all trusted certificates present on the device (All) or select specific trusted certificates. Before establishing a secure connection, the decrypt checks CA certificates to verify signatures on server certificates.

    • Specifying that all trusted certificates should be used means that all trusted certificates on a particular device (site) are used during SSL policy deployment.

    • If you specify that all trusted certificates should be used in an decrypt profile, you must ensure that at least one trusted certificate is installed on the device.

    Exempted Addresses

    Exempted addresses include addresses that you want to exempt from undergoing decrypt processing.

    To specify exempted addressees, select one or more addresses in the Available column and click the forward arrow to confirm your selection. The selected addresses are then displayed in the Selected column. These addresses are used to create allowlists that bypass decrypt processing.

    Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass decrypt processing for some sessions.

    Such sessions typically include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under allowlists.


    You can also add addresses by clicking Add Address. The Create Addresses page appears. See Create Addresses or Address Groups.

    Exempted URL Categories

    Select the previously defined URL categories to create allowlists that bypass decrypt processing. The selected URL categories are exempted during SSL inspection.


    Server Auth Failure

    Select this check box to ignore errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry). This check box is cleared by default.

    We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

    Session Resumption

    Select this check box to disable session resumption. This check box is cleared by default.

    To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session-caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.


    Select one or more events to be logged. You can choose to log all events, warnings, general information, errors, or different sessions (allowed, dropped, or ignored). Logging is disabled by default.


    Select one of the following options if a change in SSL parameters requires renegotiation:

    • None (default)—Indicates that renegotiation is not required.

    • Allow—Allow secure and nonsecure renegotiation.

    • Allow Secure—Allow secure negotiation only.

    • Drop—Drop session on renegotiation request.

    After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. decrypt supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.

    When session resumption is enabled, session renegotiation is useful in the following situations:

    • Cipher keys need to be refreshed after a prolonged SSL session.

    • Stronger ciphers need to be applied for a more secure connection.