topic Re: SSL Traffic Capture on FTD in Network Security

SSL Traffic Capture on FTD

Fantas — Thu, 01 Oct 2020 22:53:15 GMT

Hi,

we have internal client talking to outside but I cant see ant traffic on FTD and Looks its communication is not reaching at that level and breaks at SSL handshake. Server guy confirmed me that ssl handshake is not completing.

Can I capture ssl handshake traffic on ftd to see If ssl is the problem for this communication.

Re: SSL Traffic Capture on FTD

balaji.bandi — Fri, 02 Oct 2020 07:08:33 GMT

Hope you are not looking Decrypt the SSL, but as per the post, you looking simple end-to-end TCP handshake to prove the packet coming in FTD and leaving to destination.

below troubleshoot prove and explain when you enable capture. Hope you do not have any other uplink side device which does NAT or any other sort ?

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

Re: SSL Traffic Capture on FTD

Mohammed al Baqari — Fri, 02 Oct 2020 07:14:25 GMT

Hi,

You can capture ssl traffic and look at the handshake (basically client
hello and server hello are the handshake messages). A failure in handshake
will generate a reset by the other party. These hellos can be seen without
decrypt.

***** please remember to rate useful posts

Re: SSL Traffic Capture on FTD

Fantas — Fri, 02 Oct 2020 09:14:39 GMT

Thanks,

Yes I want to look at the handshake level only without decrypting ssl traffic.

what CLI should I use to get this Info on FTD CLI.

Re: SSL Traffic Capture on FTD

Mohammed al Baqari — Fri, 02 Oct 2020 10:22:25 GMT

Hi,

You can go to system support diag command and capture #name# #if-name# ....
etc to capture the traffic on outside interface. Then export it as pcpa
file. Or you can generate the capture from fmc or fdm. Just lookup the
steps online.

**** please remember to rate useful posts