Though I'm sharing your views on Decryption, this is nevertheless great news! We definitely have some clients wanting to jump onto that wagon and your testing sounds as if this isn't going to be turning out as a disaster.

Guess it stillt has to be requested via support case?

Thanks for your interesting feedback @PhilipDAth 

Interesting, so the potential throughput loss may be less awful than predicted? At least in environments with only a few users.

I'm also a fan of other methods, since intentional Mallories in the middle give me hives. We use Umbrella in my office and across several dozen client deployments representing hundreds of users. Small sample size, I know, but we've been very happy with the results.

Are you able to exempt any sites from the HTTPS inspection, or is this a binary setting?

A bit off topic but you here using ThreatGrid sub in addition to MXs with Advanced security and AMP enabled? I looked into the latest and found that Cisco has a new TG daily sample subscription pending in prelaunch hold. This seems to be more proper priced to SMB compared to the TG Cloud sub with at least 3 users on TG portal actually executing the files and anomalies that AMP does not know for sure.

I've never used ThreatGrid so can't comment on that one.

After trying out TLS decryption for a week I've found the biggest issue is you can not whitelist domains that don't work.

We found several apps that provide end to end encryption no longer work - such as WhatsApp web.  Also the Cisco ASDM no longer worked.

Hey Philip, thank you for the follow up on the issue about the TLS decryption.

Can you clarify about the impossibility to whitelist domains and apps ? There this section (in bellow) in the documentation that you posted first, based on it, are you saying that it doesn't work ? or is something different ?

Thanks.

"""

1. Configure Layer 3 and 7 whitelist options

   1. Navigate to the Security & SD-WAN > Threat Protection page.

   2. L3 whitelist: Specify source IPs of clients that should be exempt from HTTPS inspection. 

   3. L7 whitelist: Specify destination hostnames that should be exempt from HTTPS inspection. Use wild cards by prefixing the hostname entry with an asterisk. For example, *.example.com will match www.example.com .  

I never spotted that bit.  That should do it.