Configuring HTTPS Profiles

Purpose: Configure HTTPS profiles to identify IPv4 HTTPS traffic and exclude specific URL categories from IPv4 HTTPS inspection.

Location: Policies > Gateway Profiles > HTTPS

  1. Optionally enable the profile.
  2. Enter up to five custom HTTPS ports as a comma-delimited list.

    The default ports are 443 and 8443. HTTPS traffic with a destination port from this list is decrypted and scanned.

    Important: If you enable secure email (SMTPS, POP3S, and IMAPS) in the Email Security gateway profile, you cannot enter the ports used for the enabled secure email protocols in the HTTPS ports list as this can cause issues for HTTPS inspection. For example, if you enable SMTPS in the Email Security gateway profile and use the default SMTPS port (465), you must not enter port 465 in the HTTPS port list.
  3. Configure URL category exceptions.

    See URL Category Groups.

  4. Click Modify Global Approved List to configure the Approved List.

    See Approved and Blocked Lists.

  5. Configure source address exceptions by adding IPv4 address objects.

    Source address exceptions bypass HTTPS traffic inspection and allow endpoints access to all HTTPS traffic from those addresses.


    HTTPS inspection is performed only on IPv4 traffic. IPv6 traffic is not decrypted and scanned. IPv6 HTTPS traffic passes through to the end points without scanning.

  6. Click Save.