https://community.cisco.com/t5/endpoint-security/firepower-ssh-decryption/m-p/3067973#M1123 <DIV class="views-field views-field-comment-body cor-content"> <DIV class="field-content"> <P>As of the current FirePOWER software (Release 5.3.1), onboard SSL decryption for inspection of traffic is not supported. I've heard it may be coming in 5.4 (possibly later this quarter) but that's not yet available. When is is available, it will have a performance cost since line rate SSL decryption is computationally intensive.</P> <P>So for now you would have to use a <A href="http://www.cisco.com/c/en/us/products/security/ssl-appliances/models-comparison.html">Cisco&nbsp;SSL appliance</A>. They have purpose-built hardware for SSL decryption.</P> <P>In either case, the inline device that's opening and inspecting the SSL traffic would need to have a special certificate that's allowed to issue child certificates and be trusted by all your clients. That typically means you need to have (or establish) an Enterprise PKI.&nbsp;</P> </DIV> </DIV> Tue, 30 May 2017 10:39:52 GMT Farhan Mohamed 2017-05-30T10:39:52Z https://community.cisco.com/t5/endpoint-security/firepower-ssh-decryption/m-p/3067972#M1110 <P>I understand that cisco Firepower decrypts SSL. But it does not have a seperate option for SSH decryption ( like PaloAlto). My question is.. does it decrypt it by in the same policy ( SSL decryption policy that is) or it does not ?&nbsp;</P> Fri, 21 Feb 2020 05:04:13 GMT https://community.cisco.com/t5/endpoint-security/firepower-ssh-decryption/m-p/3067972#M1110 mobashersheikh87 2020-02-21T05:04:13Z https://community.cisco.com/t5/endpoint-security/firepower-ssh-decryption/m-p/3067973#M1123 <DIV class="views-field views-field-comment-body cor-content"> <DIV class="field-content"> <P>As of the current FirePOWER software (Release 5.3.1), onboard SSL decryption for inspection of traffic is not supported. I've heard it may be coming in 5.4 (possibly later this quarter) but that's not yet available. When is is available, it will have a performance cost since line rate SSL decryption is computationally intensive.</P> <P>So for now you would have to use a <A href="http://www.cisco.com/c/en/us/products/security/ssl-appliances/models-comparison.html">Cisco&nbsp;SSL appliance</A>. They have purpose-built hardware for SSL decryption.</P> <P>In either case, the inline device that's opening and inspecting the SSL traffic would need to have a special certificate that's allowed to issue child certificates and be trusted by all your clients. That typically means you need to have (or establish) an Enterprise PKI.&nbsp;</P> </DIV> </DIV> Tue, 30 May 2017 10:39:52 GMT https://community.cisco.com/t5/endpoint-security/firepower-ssh-decryption/m-p/3067973#M1123 Farhan Mohamed 2017-05-30T10:39:52Z https://community.cisco.com/t5/endpoint-security/firepower-ssh-decryption/m-p/3067974#M1134 <P>Firepower 5.4.1 and above is capable of doing SSL decryption, and the SSL decryption policy is way more granular with many different options.</P> <P>http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html</P> <P></P> <P>Regards,</P> <P>Jawad</P> <P></P> Mon, 03 Jul 2017 20:10:50 GMT https://community.cisco.com/t5/endpoint-security/firepower-ssh-decryption/m-p/3067974#M1134 Jawad Al Akrabawi 2017-07-03T20:10:50Z