To enable reputable HTTPS traffic to bypass decryption on Cisco Secure Web Appliance, the Decrypt ACL setting must be disabled. Learn how to ensure HTTPS inspection is applied judiciously.
Table of Contents
Question
What must be disabled on a Cisco Secure Web Appliance to ensure HTTPS traffic with a good reputation score bypasses decryption?
A. Decrypt ACL
B. Decrypt Policies
C. Decrypt for End-User Acknowledgment
D. Decrypt for End-User Notification
Answer
A. Decrypt ACL
Explanation
The correct answer is A. The Decrypt ACL setting must be disabled on a Cisco Secure Web Appliance to allow HTTPS traffic with a good reputation score to bypass decryption.
The Cisco Secure Web Appliance (formerly Web Security Appliance or WSA) provides web security and control for an organization’s internet traffic. One key capability is the ability to decrypt and inspect HTTPS traffic to detect threats. However, decrypting all HTTPS traffic can impact performance, privacy, and user experience.
To strike the right balance, the appliance allows exempting certain HTTPS traffic from decryption based on reputation score. URLs categorized as reputable by Cisco Talos intelligence can be allowed to pass through without decryption. This optimizes security and performance.
The specific setting that controls this is the Decrypt ACL (Access Control List). When enabled, the Decrypt ACL will decrypt all HTTPS traffic that matches the policy conditions, regardless of reputation. To allow reputable traffic to bypass, the Decrypt ACL must be disabled.
The other options listed – Decrypt Policies, Decrypt for End-User Acknowledgment, and Decrypt for End-User Notification – are separate settings that do not directly control reputation-based decryption exemption:
- Decrypt Policies define the overall handling of different types of HTTPS traffic
- Decrypt for End-User Acknowledgment displays a block page that requires users to agree to decryption
- Decrypt for End-User Notification informs users that their HTTPS traffic may be decrypted
So in summary, to ensure efficient yet secure handling of HTTPS, disable the Decrypt ACL on the Cisco Secure Web Appliance. This allows traffic with a good reputation to pass through without undue inspection. The appliance can focus decryption efforts on higher-risk sites and content.
Cisco 350-701 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Cisco 350-701 exam and earn Cisco 350-701 certification.