Configuring decryption for domain categories

You can enable or disable encrypted connection scanning for predefined domain categories. Domain categorization is provided by the Kaspersky cloud service, heuristic analysis, and the Kaspersky website database that is included with the solution. By default, encrypted connection scanning is enabled for all domain categories.

For details about website categories, see https://support.kaspersky.com/Legal/WebCategories/en-US/206917.htm.

To configure decryption for selected categories:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.

    This opens the Policy tab.

  2. In the SSL Inspection section, select Exclusions.
  3. On the Categories tab, enable the Use domain category exclusion list toggle switch.

    If the list of domain categories is enabled, Kaspersky NGFW categorizes visited domains, and you can configure exclusions by web categories.

  4. Do one of the following:
    • If you want to configure decryption for multiple domain categories, select the check boxes next to the relevant categories or subcategories and click Don't decrypt or Decrypt in the upper part of the table.
    • If you want to apply an action to a single domain category, select Don't decrypt or Decrypt in the drop-down list in the Action column next to the relevant category or subcategory.

    The selected action is applied to the domain category and its subcategories, or only to a subcategory. If you select the Don't decrypt action for any category or subcategory, domains belonging to this category are excluded from SSL inspection. An event about this action being applied is recorded in the system event log.

  5. Apply the OSMP policy changes by clicking the Commit and push button.

If a visited domain belongs to multiple categories or subcategories, the action configured for the subcategory of the maximum nesting level is applied to it. If a domain belongs to multiple categories or subcategories of the same nesting level that have different actions configured, then the action with the highest priority (Decrypt) is applied.

If you have enabled the list of domain category exclusions, you can also configure event logging when gaining access to domains from predefined categories.

To configure event logging for domain categories:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.

    This opens the Policy tab.

  2. In the SSL Inspection section, select Exclusions.
  3. On the Categories tab, enable the Log if domains from exclusion list are accessed toggle switch to log events for triggered exclusions by predefined categories to the system event log.

    If this toggle switch is disabled, events are not logged for triggered exclusions for predefined web categories.

  4. Apply the OSMP policy changes by clicking the Commit and push button.
Page top