SSL/TLS Inspection Rules: Decryption profile required when action is "Do not decrypt"?

Just noticed when I'm creating a SSL/TLS inspection rule where the 'Action' is set to 'Do not decrypt', I still have to select a 'Decryption profile'. What's the purpose of the decryption profile if the rule is not decrypting?

'

Parents
  • The DPI engine has the ability to enforce many TLS and Certificate checks even if it is not decrypting.

    For example, you could enforce that a connection must be TLS 1.2 or better, but also do not decrypt.

    This is an added feature of the DPI mode that is not available in the traditional web proxy, which can only enforce if it is decrypting.

Reply
  • The DPI engine has the ability to enforce many TLS and Certificate checks even if it is not decrypting.

    For example, you could enforce that a connection must be TLS 1.2 or better, but also do not decrypt.

    This is an added feature of the DPI mode that is not available in the traditional web proxy, which can only enforce if it is decrypting.

Children