Exclude List Screen - ZyXEL Communications ZyWall ATP series User Manual

Table 229 Configuration > Security Service > SSL Inspection > Profile > Add / Edit (continued)
LABEL
Action for
Connection with
unsupported suit
Log
Action for
connection with
untrusted cert
chain
Log
OK
Cancel

33.3 Exclude List Screen

There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal issues
may vary by locale, so it's important to check with your legal department to make sure that it's OK to
intercept SSL traffic from your Zyxel Device users.
To ensure individual privacy and meet legal requirements, you can configure an exclusion list to exclude
matching sessions to destination servers. This traffic is not intercepted and is passed through
uninspected.
Click Configuration > Security Service > SSL Inspection > Exclude List to display the following screen. Use
Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry.
Chapter 33 SSL Inspection
DESCRIPTION
SSL Inspection supports these cipher suites:
• DES
• 3DES
• AES
Select to pass or block unsupported traffic (such as other cipher suites, compressed traffic,
client authentication requests, and so on) that matches traffic bound to this policy here.
These are the log options for unsupported traffic that matches traffic bound to this policy:
• no: Select this option to have the Zyxel Device create no log for unsupported traffic that
matches traffic bound to this policy.
• log: Select this option to have the Zyxel Device create a log for unsupported traffic that
matches traffic bound to this policy
• log alert: An alert is an emailed log for more serious events that may need more immediate
attention. They also appear in red in the Monitor > Log screen. Select this option to have the
Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy.
A certificate chain is a certification process that involves the following certificates between the
SSL/TLS server and a client. A certificate chain will fail if one of the following certificates is not
correct.
• A certificate owned by a user
• The certificate signed by a certification authority
• A root certificate
Select to pass, inspect, or block an untrusted certification chain.
These are the log options for unsupported traffic that matches traffic bound to this policy:
• no: Select this option to have the Zyxel Device create no log for unsupported traffic that
matches traffic bound to this policy.
• log: Select this option to have the Zyxel Device create a log for unsupported traffic that
matches traffic bound to this policy
• log alert: An alert is an emailed log for more serious events that may need more immediate
attention. They also appear in red in the Monitor > Log screen. Select this option to have the
Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy.
Click OK to save your settings to the Zyxel Device, and return to the profile summary page.
Click Cancel to return to the profile summary page without saving any changes.
ZyWALL ATP Series User's Guide
573