I am getting decrypt-cert-validation error for financial websites. I have bypassed financial category from SSL Decryption.
Even though I am bypassing SSL Decryption for finance category but as best practice still using No Decryption profile settings, like Block sessions with expired certificates & Block sessions with untrusted issuers. It seems that after unchecking Block sessions with untrusted issuers option finance web site is working and session end reason is tcp-fin instead of decrypt-cert-validation error. However, I see this is not a good practice. I know that this might be resolved after adding Intermediate or Root certificate in PAN firewall Default Trusted Certificate Authority store but does this means I have to every time import & add third part certs of financial websites ?
671 Views
In my personal opinion, bypassing SSL Decryption across the financial category is not a best practice. The main reason for needing bypass is to use an Application other than a browser. This carries the risk of improper detection of attack. Applications often have individual best practices that you should follow.
In other words, what you want to do is not a best practice, so it's not much different from the current situation.
Instead, you'll be happier if you care about the dns security and second url category for risk assessment.