So, I searched on a bunch of SSL terms, but not on "Incident Manager" before I posted. After I posted, I went back and did a search on Incident Manager and came up with this thread:
Has there been any movement on this or is there a tracking method that can be implemented until Incident Manager returns?
1 of 1 people found this helpful
you could modify the rules that block the requests, such as the rule for blocking acceses to sites which have not been signed by a known CA, and add an event to the rules. I - for example - would add a log event which writes an SSL_Incident.log listing the timestamp, the requested URL, and the reason why access was blocked (simply by adding the rule name).
By doing so you will gather a list of blocked requests. You can look through the list to find out who, why and how often was blocked when trying to access an SSL site.
The attached rulesets can be used to determine what certificates might cause issues when you enable cert verification and SSL scanning. SSL Incident goes in the Log Manager ruleset the other ruleset goes in your main policy rules. The log manager ruleset will write a user-defined log with the information on URLs that would have been blocked and why. Use and modify at your own risk.