You can configure Secure Sockets Layer (SSL) Inspection policies to perform scanning of the SSL traffic based on the source and destination of the traffic. Using these policies, you can simplify the deployment and ongoing operations of SSL Inspection and address the compliance and operational environmental requirements. To learn more, see About SSL Inspection Policy.

To configure an SSL Inspection rule:

1. Go to Policies > Common Configuration > SSL/TLS Inspection > SSL/TLS Inspection Policy.

2. Click Add SSL Inspection Rule.

   The Add SSL Inspection Rule window appears.

   See image.

   

   Close

3. Under the SSL Inspection Rule section, configure the following rule attributes:

   • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule's place in the order. You can change the value, but if you've enabled admin rank, your assigned admin rank determines the Rule Order values you can select.
   • Admin Rank: Enter a value from 0 to 7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule's admin rank determines the value you can select in Rule Order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
   • Rule Name: Enter a user-friendly name for the rule. The maximum length is 31 characters.
   • Rule Status: Enable this option to actively enforce the rule. Disabling this option does not actively enforce the rule, and the service skips it and moves to the next rule. However, the rule does not lose its place in the rule order.
   • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.

   See image.

   Close

4. Under the Criteria section, configure the appropriate rule attributes:

   • Source IP Groups: Select any number of source IP groups. You can also search for source IP groups or click the Add icon to add a new source IP group. Selecting no value ignores the criterion in the policy evaluation.
   • URL Categories: Select any number of URL super categories or categories. Selecting no value ignores the criterion in the policy evaluation.
   • Cloud Applications: Select any number of cloud applications or cloud application classes. Selecting no value ignores the criterion in the policy evaluation.
   • Destination Groups: Select any number of destination groups. Selecting no value ignores the criterion in the policy evaluation. The supported group types are IP, FQDN, and Wildcard FQDN. The countries and custom categories configured in the destination groups are ignored.
   • Forwarding Gateways: Select any number of gateways configured for third-party proxies. Selecting no value ignores the criterion in the policy evaluation.

   • Application Segment: Select up to 255 application segments. Selecting no value ignores the criterion in the policy evaluation.

     The list displays only those application segments that have the Source IP Anchor option enabled.

   • Locations: Select up to 8 locations. Selecting no value ignores the criterion in the policy evaluation.
   • Location Groups: Select up to 32 location groups. Selecting no value ignores the criterion in the policy evaluation.
   • Users: Select up to 4 general and/or special users. Select General Users for all authenticated users and Special Users for all unauthenticated users. Selecting no value ignores the criterion in the policy evaluation.
   • Groups: Select up to 8 groups. Selecting no value ignores the criterion in the policy evaluation.
   • Departments: Select up to 8 departments. If you've enabled the unauthenticated users policy, you can select Special Departments for unauthenticated traffic. Selecting no value ignores the criterion in the policy evaluation.
   • Devices: Select the devices for which you want to apply the rule. Selecting no value ignores the criterion in the policy evaluation.

   • Device Groups: Select the device group for which you want to apply the rule. For Zscaler Client Connector traffic, select the appropriate group based on the device platform. Select Cloud Browser Isolation or No Client Connector to apply the rule to Isolation traffic or for traffic that is not tunneled through Zscaler Client Connector, respectively. Selecting no value ignores the criterion in the policy evaluation.

     The Cloud Browser Isolation group is available only if Isolation is enabled for your organization.

   • Remote Users with Kerberos: Select Yes to apply this policy to remote users using Kerberos authentication. This criterion applies only to remote user traffic with Kerberos authentication, which is forwarded via PAC files and not via Zscaler Client Connector. Selecting no value ignores the criterion in the policy evaluation.

   • Device Trust Level: Select the device trust level values (High Trust, Medium Trust, Low Trust, or Unknown) to which the rule applies. While the High Trust, Medium Trust, or Low Trust evaluation is applicable only to Zscaler Client Connector traffic, Unknown evaluation applies to all traffic. Selecting no value ignores the criterion in the policy evaluation.

     The trust levels assigned to the devices are based on your posture configurations.

   • CONNECT User-Agent: Select any number of user agents. This criterion applies only to SSL traffic forwarded in explicit proxy mode (PAC or PAC over tunnel) and not to traffic forwarded via a transparent proxy (tunnel) or Z-Tunnel 1.0 due to lack of user agent context. Selecting no value ignores the criterion in the policy evaluation.

   See image.

   Close

5. From the Action section, choose the appropriate action (Inspect, Do Not Inspect or Block) for the SSL/TLS traffic that matches the defined criteria:

   • If you choose the Inspect action, configure the following settings:

     • Override Default Intermediate CA Certificate: Select Yes to override the default intermediate Certificate Authority (CA) certificate.
     • Intermediate CA Certificate: Choose an intermediate CA certificate from the list. This option is only available if you have selected Yes in the Override Default Intermediate CA Certificate field.
     • Untrusted Server Certificates: Select how the service handles untrusted certificates (e.g., path validation failure, unknown issuer, certificate expired, common name does not match).
       • Allow: The service allows access to sites with untrusted certificates. Certificate warnings are only displayed when users access sites with expired certificates.
       • Pass Through: Certificate warnings are displayed to users, and they can decide to proceed to the site.
       • Block: The service blocks access to sites with untrusted certificates.
     • Block No Server Name Indication (SNI): Enable this option to block any traffic that does not contain the SNI in the Client Hello message during SSL handshake. This option is disabled by default.
     • OCSP Revocation Check: Enable this option to include certificate revocation check in the untrusted server certificate validation. The service uses the Online Certificate Status Protocol (OCSP) to obtain the revocation status of a certificate. If the OCSP check fails, the action is determined by the Untrusted Server Certificates setting.
     • Block Undecryptable Traffic: Enable this option to block traffic from servers that use non-standard encryption methods or require mutual TLS authentication.
     • Minimum Client TLS Version: Select the minimum TLS version required for your clients to establish a connection. The service blocks the connections for clients that do not meet the specified minimum TLS version requirement.
     • Minimum Server TLS Version: Select the minimum TLS version required for your servers to establish a connection. The service blocks the connections for servers that do not meet the specified minimum TLS version requirement.

     • Enable HTTP/2: Enable to make HTTP/2 the web protocol used for accessing all applications.

       The HTTP/2 feature is only available if it is enabled for your organization. HTTP/2 is enabled by default for all new tenants.

     See image.

     Close

   • If you choose the Do Not Inspect action, you can further choose to either Evaluate Other Policies or Bypass Other Policies. Choosing Bypass Other Policies bypasses web policies (URL Filtering and Cloud App Control) for the TLS traffic. If you choose to evaluate other policies for the traffic, you can configure the following settings:

     • Untrusted Server Certificates: Select how the service handles untrusted certificates (e.g., path validation failure, unknown issuer, certificate expired, Common Name does not match).
       • Allow: The service allows access to sites with untrusted certificates. While the service does not reset the TCP connection, the browser displays an Invalid Certificate warning message.
       • Block: The service blocks access to sites with untrusted certificates by resetting the TCP connection.
     • Block No Server Name Indication (SNI): Enable this option to block any traffic that does not contain the SNI in the Client Hello message during SSL handshake. This option is disabled by default.
     • Show Notifications for Blocked Traffic: Enable this setting to display end user notifications to users if the traffic is blocked by other web policies. Ensure that you install the Zscaler root CA certificate or your enterprise root CA certificate in your clients' truststore, so the service can reply or redirect the user to the notification page. If no certificate is installed, the browser displays an Invalid Certificate warning message. If this setting is disabled, the service resets the connection with a generic failed connection message from the browser.
       • Show Notification for ATP Blocks: Enable this setting to display Advanced Threat Protection (ATP) notifications to the users if the ATP traffic is blocked. This field is only available if you have enabled Show Notifications for Blocked Traffic.
       • Override Default Intermediate CA Certificate: Select Yes to override the default intermediate CA certificate. This field is only available if you have enabled Show Notifications for Blocked Traffic.
       • Intermediate CA Certificate: Choose an intermediate CA certificate from the list. This option is only available if you have selected Yes in the Override Default Intermediate CA Certificate field.

     • OCSP Revocation Check: Enable this option to include certificate revocation check in the untrusted server certificate validation. The service uses OCSP stapling to obtain the revocation status of a certificate. If the OCSP check fails, the action is determined by the Untrusted Server Certificates setting.

       The server certificate in TLS 1.3 is encrypted. So, the service relies on a cached certificate from a previously decrypted connection to enforce the revocation and validation checks.

     • Minimum TLS Version: Select the minimum TLS version required for your connections. The service blocks the connections that do not meet the specified minimum TLS version requirement.

     See image.

     
     Close

   • If you choose the Block action, you can choose to enable or disable end user notifications:

     • Show End User Notifications: Enable this setting to display end user notifications. Ensure that you install the Zscaler root CA certificate or your enterprise root CA certificate in your clients' truststore, so the service can reply or redirect the user to the notification page. If no certificate is installed, the browser displays an invalid certificate warning message. If this setting is disabled, the service resets the connection with a generic failed connection message from the browser.
       • Override Default Intermediate CA Certificate: Select Yes to override the default intermediate CA certificate. This field is only available if you have enabled Show End User Notifications.
       • Intermediate CA Certificate: Choose an intermediate CA certificate from the list. This option is only available if you have selected Yes in the Override Default Intermediate CA Certificate field.

     See image.

     Close

6. (Optional) Enter a description for the rule in the Description field. The description cannot exceed 10,240 characters.
7. Click Save and activate the change.