- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-14-2012 02:15 PM
In my opinion, specially when it comes using PA towards Internet, you should decrypt everything and stuff that cannot be decrypted shouldnt be allowed through.
Windowsupdate can be handled separately (for example if you setup a WSUS and only let WSUS server go for windowsupdate on the Internet using appid windowsupdate).
The tricky part is how this cert whitelist which PA uses affects decryption. Will this whitelist always overrule decrypt settings or will a "deny flows which cannot be decrypted" overrule the whitelist - perhaps someone from PA could clearify?
Anyway - there might be countries/places where you are not supposed/allowed to decrypt stuff on the road. Banking/Financial seems to be a common example.
Otherwise it can be for performance reasons which you dont want to decrypt certain categories but in my opinion this is bad...
06-15-2012 12:55 AM
Your environment may wary from mine.
My reason for using decrypt is to see what hides inside. Checking the traffic is an attempt to look for and stop unwanted traffic.
So is it likely the “Shopping” may contain things that you do not want in your environment?
My 5 cents is that “Shopping” is not likely to contain malware in the encrypted stream. “Shopping” is likely to have some payment options (credit card numbers ). Are you allowed to view those ?
Decrypt may break some payment options (used in “shopping”).
Or you may want to limit or block shopping during work hours ?
Decrypting traffic may also have legal consequences. Your geographic location and laws that apply to your company, may influence your outcome. US and EU view of “privacy” are somewhat different.
/ Regards Paul M
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!