Add a Policy for SSL Decryption

Add a Policy for SSL Decryption

SSL decryption policies allow you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies.


Netskope continues to match against Real-time Protection policies when a connection is matched with a SSL Do Not Decrypt policy. As a part of the SSL decryption policy lookup, when traffic is dropped due to a Real-time Protection policy match, a Skope IT event alert is generated. A user alert or block notification isn’t sent to the user.

To configure a SSL decryption policy:

  1. Navigate to Policies > SSL Decryption.
  2. Click Add Policy. The New SSL Decryption Policy page appears.
  3. For Match Criteria, specify the match criteria for the traffic. You must specify at least one match criteria from the Add Criteria dropdown to create a policy. The system applies the ‘AND’ operator among multiple criteria groups (e.g. user, domain, and category), and the ‘OR’ operator among multiple match criteria values (e.g. Category 1, Category 2, Category 3).

    The following table lists the match criteria options.

  4. CriteriaOptions
    Source Network LocationSearch and add a source network location (select all that apply) and match against User IP and Source IP addresses. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details.


    By default, you can only configure one Source IP type per SSL decryption policy.

    To configure both source IP types together in one policy, the “RBAC V2” and “Source IP Egress AND Condition” features must be enabled for your tenant. Contact Support to enable these features.

    Match Against FieldUser IP Address – This is the user’s internal / private IP address (RFC 1918).
    Egress Source IP Address – This is the user’s external NAT (Public) IP address.
    Traffic that runs through the Netskope gateway, including both the User IP and Egress Source IP addresses are viewable by the system. The distinction is helpful so admins can make selective decisions for internal hosts (user IPs) versus all hosts in a given network (egress IPs).
    Destination Network LocationSearch and add a destination network location, select all that apply. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details.
    CategoryLists all categories
    DomainsList domains as comma separated values.
    Netskope supports domain names based on server name indication (SNI) and not certificate name (CN) or subject alternative name (SAN). Wildcard search is supported.
    UserLists all users
    User GroupLists all user groups
    Organizational UnitLists all organizational units
    App SuiteList of app suites specified with table shown in the App Suite Details topic.
    Each app suite name is mapped to a list of defined domains, and the domain list gets updated for new / changes periodically.
    AppLists apps that are uniquely identifiable based on a single domain name.
    There are no overlapping domains to apps. You can select one or more predefined or custom apps and custom apps have higher priority over predefined apps.
    Access MethodLists all applicable access methods.
    OS FamilyLists all device operating system families.


    This match criteria option is only applicable when the Netskope Client is deployed on the device. For example, the access method is Client or Client is used in combination with other access methods.

  5. For Action, you can select one of the following options:
    • Do Not Decrypt: Traffic will not go through deep analysis.
    • Decrypt: Traffic will move to deep analysis via the Real-time Protection policies.
  6. For Set Policy, enter a Policy Name. Optionally, you can enter a Policy Description.
  7. Click Save.


By default, the policy is disabled; you must enable it after you are done configuring it.

Once you create a policy, you can perform the following actions described in the table below.

EditClick the policy name or edit via the ellipses at the end of the policy row.
DisableClick the policy name or disable via the ellipses at the end of the policy row.
Move to PositionAccess the Move to Position dialog via the ellipses at the end of the policy row. You can select to move the policy to: Top of policy list, Bottom of policy list, Before policy, or After policy. Click Move to apply your change. Note, if you select before or after policy, a dropdown displays in which you must select a policy from the list.
DeleteSelect the policy name and click Delete button or delete via the ellipses at the end of the policy row. Deleting a policy means that the corresponding traffic will be decrypted and sent for deep analysis. If you change your mind, click the ellipses to access the Revert Deletion button.
View Pending ChangesView a list of policies that are new or have changed and click Apply Changes to save and implement the policy. 
FiltersUse the filters at the top of the list page to quickly access or filter out policies by name or criteria added. Click +Add Filter to apply multiple match criteria to the filter. You can save the filter and access it via the carrot, above the Filters search bar. To delete any criteria, click the red X in the upper right corner of the filter label.
Share this Doc

Add a Policy for SSL Decryption

Or copy link

In this topic ...