topic Re: Do not decrypt bypass rule for domain in Network Security

Do not decrypt bypass rule for domain

ryan14 — Fri, 17 Jan 2020 15:12:55 GMT

Is there a way to create a do not decrypt rule for a set of domains or FQDNs? I do not see a URL tab in the the SSL ACP. Running 6.4.0.4 fmc. Closest alternative is to either know the destination IPs or hope the application tab has a match.

Re: Do not decrypt bypass rule for domain

Abheesh Kumar — Sat, 18 Jan 2020 09:59:08 GMT

Hi,

I think there is no option to create rule with FQDN either you need to know the FQDN resolvable IP, If you try creating FQDN in the SLL rule it will not display FQDN objects there. I think its a limitation that cisco need to address in feature releases.

HTH

Abheesh

Re: Do not decrypt bypass rule for domain

Muhammad Awais Khan — Mon, 20 Jan 2020 06:10:35 GMT

Hi,

Did you try with a rule using DN and CN ? you can match CN or DC for the required website which you dont want to decrypt.

Re: Do not decrypt bypass rule for domain

ryan14 — Mon, 20 Jan 2020 15:40:52 GMT

Hey guys,

Yeah so I tested adding a site to the subject DN and it didn't decrypt which is good. Does this also do subdomains or do you need to add an asterisk? I was under the impression firepower doesn't llike asterisk characters for wild card.

Re: Do not decrypt bypass rule for domain

Muhammad Awais Khan — Mon, 20 Jan 2020 18:13:52 GMT

Hi,

* should be working fine. Infact they are using * in the snapshot I attached in previous comment.

Re: Do not decrypt bypass rule for domain

ryan14 — Mon, 20 Jan 2020 20:30:16 GMT

Thanks just tested the asterisk and it did work.