https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188591#M1040611 <P>You will need to provide the IPS the certificates and private keys used on each of the servers in order to decrypt, inspect and resign the traffic. Of course if they are using a single certificate with SANs or a wildcard certificate then you would need only that one certificate and key pair.</P> Sun, 24 Sep 2017 08:51:30 GMT Marvin Rhoads 2017-09-24T08:51:30Z https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188585#M1040610 <P>Hi all</P><P>We have a requirement to provide IPS services on a HA pair of 4100 series FTDs. Specifically there is one flow we need this for. Two clients (servers) need to talk to four servers. The end-to-end path is:</P><P>&nbsp;</P><P>Clients &gt; FTD/IPS &gt; F5 load balancer &gt; Servers&nbsp;</P><P>&nbsp;</P><P>The F5 in this scenario will not perform any SSL offload but will simply provide a VIP and load balance the request to one of the four servers. The SSL handshake will take place directly between the client and server.</P><P>I have zero experience with the FTD product so excuse my ignorance. The question I have is that I understand I need to provide the FTD with the private key of the server in order for it to be able to decrypt the flow and run it through the SNORT engine; which private key in this situation do I provide? All four? One bundled?</P><P>&nbsp;</P><P>Thank you</P> Fri, 21 Feb 2020 14:21:15 GMT https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188585#M1040610 Devlin Thornicroft 2020-02-21T14:21:15Z https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188591#M1040611 <P>You will need to provide the IPS the certificates and private keys used on each of the servers in order to decrypt, inspect and resign the traffic. Of course if they are using a single certificate with SANs or a wildcard certificate then you would need only that one certificate and key pair.</P> Sun, 24 Sep 2017 08:51:30 GMT https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188591#M1040611 Marvin Rhoads 2017-09-24T08:51:30Z https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188598#M1040612 <P>Hi Marvin</P><P>&nbsp;</P><P>Thank you for the swift &amp; clear&nbsp;response. This has given me food for thought. The SAN method in particular is a nifty little suggestion which I will ask the customer.</P><P>&nbsp;</P><P>A further question - if they come back say we can't use a SAN certificate, each server must use a unique cert, is it fairly straightforward to create an IPS policy that utilises more than one cert/key?</P><P>&nbsp;</P><P>Thanks</P> Sun, 24 Sep 2017 09:35:08 GMT https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188598#M1040612 Devlin Thornicroft 2017-09-24T09:35:08Z https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188607#M1040613 <P>Yes - technically it's an SSL Policy which is called out in an Access Control Policy.&nbsp;</P> <P>&nbsp;</P> <P>While I havent had a use case to do so myself, I know you can select and add multiple certificates in a given SSL policy.</P> Sun, 24 Sep 2017 10:35:11 GMT https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188607#M1040613 Marvin Rhoads 2017-09-24T10:35:11Z https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188622#M1040615 <P>Brill,&nbsp;thank you Marvin. I'll search that function out now.&nbsp;</P> Sun, 24 Sep 2017 13:03:12 GMT https://community.cisco.com/t5/network-security/which-cert-for-ips/m-p/3188622#M1040615 Devlin Thornicroft 2017-09-24T13:03:12Z