https://community.cisco.com/t5/network-security/ssl-policy-question/m-p/3032972#M1017428 <P>I have a Firepower virtual management server that is managing about 12 devices.</P> <P>(2-5516s, 2-5508s, and the rest 5506s)</P> <P></P> <P>I'd like to have an SSL policy so i can inspect https traffic, but I'm not sure if this is going to degrade system performance too much.</P> <P>since I'm using firepower manager, is the SSL work offloaded to it?</P> <P>I have plenty of room on my virtual environment to give the server all the CPU and memory it would ever want.</P> <P></P> Tue, 12 Mar 2019 13:15:43 GMT Lee Dress 2019-03-12T13:15:43Z https://community.cisco.com/t5/network-security/ssl-policy-question/m-p/3032972#M1017428 <P>I have a Firepower virtual management server that is managing about 12 devices.</P> <P>(2-5516s, 2-5508s, and the rest 5506s)</P> <P></P> <P>I'd like to have an SSL policy so i can inspect https traffic, but I'm not sure if this is going to degrade system performance too much.</P> <P>since I'm using firepower manager, is the SSL work offloaded to it?</P> <P>I have plenty of room on my virtual environment to give the server all the CPU and memory it would ever want.</P> <P></P> Tue, 12 Mar 2019 13:15:43 GMT https://community.cisco.com/t5/network-security/ssl-policy-question/m-p/3032972#M1017428 Lee Dress 2019-03-12T13:15:43Z https://community.cisco.com/t5/network-security/ssl-policy-question/m-p/3032973#M1017433 <P>I would not recommend doing SSL decryption with the ASA Firepower devices as this reduces the performance by 30-40% at a minimum. The ASA hardware was not built for such heavy processing - especially lower end models. You should really look at doing SSL decryption on a separate box capable of handling the traffic processing. And no, SSL is not offloaded to the FMC for decryption.</P> Fri, 20 Jan 2017 23:47:56 GMT https://community.cisco.com/t5/network-security/ssl-policy-question/m-p/3032973#M1017433 Rahul Govindan 2017-01-20T23:47:56Z