Create SSL Policy

Create and enable SSL policy to ensure the Symantec Web Security Service correctly intercepts and exempts SSL traffic. Intercepting SSL traffic allows the Web Security Service to decrypt HTTPS connections, examine the contents, and perform policy checks. Exempting SSL traffic allows traffic to remain encrypted. By default, the Web Security Service does not intercept:

  • HTTPS traffic that is categorized as Brokerage/Trading, Financial Services, and Health, because this content usually involves private, sensitive personal account information
  • Applications that are listed in the SSL Bypass List or Mobile App Bypass list because their traffic is known to break due to certificate pinning issues

Note: If traffic is from a mobile device or bypassed (not intercepted), then the Web Security Service does not apply CASB Gatelets or Web Isolation to the traffic. These features are currently not available for mobile traffic, and bypassed traffic cannot be isolated.

For more information on decrypting SSL traffic, see About Scanning Encrypted Traffic.

Note: Before you enable policy, ensure you have downloaded and distributed the root certificate. See Install Encrypted Traffic Certificates.

Procedures

To create policy to exempt or intercept SSL traffic:

  1. In Service Mode, select Network > SSL Interception.
  2. Expand the SSL Interception Policy drop-down and click Add Rule.
  3. (Optional) Add sources:
    1. Click Add Sources.
    2. From the Available Sources drop-down lists, expand an element to filter the view.
    3. Select one or more sources to create policy for and click the right-pointing arrow to move sources to the Source Conditions list.
    4. (Optional) For most categories, you have the option to create a new source. The New drop-down list allows you to create a new object and add it to the policy from this dialog. This might be helpful if you are immediately troubleshooting from a source that is not currently part of a custom list.
    5. Click Save.
  4. (Optional) Add destinations:
    1. Click Add Destinations.
    2. From the Available Destinations drop-down lists, expand an element to filter the view.
    3. Select one or more destinations to create policy for and click the right-pointing arrow to move destinations to the Destination Conditions list.
    4. (Optional) ) For most categories, you have the option to create a new source. The New drop-down list allows you to create a new object and add it to the policy from this dialog. This might be helpful if you are immediately troubleshooting for a destination that whose traffic is blocked by SSL policy.
    5. (Optional) You can create policy that uses Symantec's list of mobile applications that are known to break when decrypted. To add the list to policy, from the Available Destinations screen, click Mobile App Bypass.
    6. Click Save.
  5. Assign a verdict:
    • To intercept traffic for your defined sources and/or destinations, click Intercept.
    • To exempt traffic for your defined sources and/or destinations, click Do Not Intercept.
  6. Click Add Rule.
  7. After defining interception and exemption policies, enable SSL policy:
    1. Toggle the switch to SSL Interception Enabled.
    2. Click Activate; the WSS now intercepts SSL traffic per the defined policy.

      Warning: Enabling SSL on the WSS might introduced unintended results for some websites. If your clients experience dropped connections, consult the information in Troubleshoot Dropped SSL Connections.

  8. (Optional) Configure the service to pass-through specific encrypted destination URLs, IP addressses/subnets. or Categories:
    • Domains/URLs—See Pass Through Encrypted Traffic From Specific Destinations.
    • Content Filter categories—See Pass Through Categories That Contain Encrypted Web Traffic .

Tip: See also Apply Limited Policy to Non-Intercepted SSL Traffic.