Configuring the Exclusion List

By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. You can configure an Inclusion/Exclusion list to customize to which traffic DPI-SSL inspection applies. The Inclusion/Exclusion list provides the ability to specify certain objects, groups, or hostnames. In deployments that are processing a large amount of traffic, it can be useful to exclude trusted sources in order to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections.

The Inclusion/Exclusion section of the Server SSL page contains two options for specifying the inclusion list:

•	On the Address Object/Group line, select an address object or group from the Exclude pull-down menu to exempt it from DPI-SSL inspection.

•	On the User Object/Group line, select a user object or group from the Exclude pull-down menu to exempt it from DPI-SSL inspection.

NOTE: The Include pull-down menu can be used to fine-tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude pull-down and the Remote-office-Oakland address object in the Include pull-down.