https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4784297#M1098248 <P>Thanks. But is "TLS Server Identity Discovery" supported for the FTD running in transparent mode with interface inline pair (no tap)?</P> Tue, 28 Feb 2023 18:16:47 GMT SIMMN 2023-02-28T18:16:47Z https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4777684#M1097926 <P>A quick validation question: Will Enabling and Deploying "TLS Server Identity Discovery" and/or "Encrypted Visibility Engine" features in FMC/FTD be impactful for data traffic?</P> <P>Will it matter if the FTD is in routed or transparent mode?</P> Fri, 17 Feb 2023 21:05:30 GMT https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4777684#M1097926 SIMMN 2023-02-17T21:05:30Z https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4784277#M1098246 <P>Hello ,<BR /><BR /><BR /><STRONG>TLS Server Identity Discovery</STRONG></P> <P>&nbsp;</P> <P>The latest version of the Transport Layer Security (TLS) protocol 1.3, defined by <A href="https://tools.ietf.org/html/rfc8446" target="_blank">RFC 8446</A>, is the preferred protocol for many web servers to provide secure communications. Because the TLS 1.3 protocol encrypts the server's certificate for additional security, and the certificate is needed to match application and URL filtering criteria in access control rules, the Firepower System provides a way to extract the server certificate <I>without</I> decrypting the entire packet.</P> <P>&nbsp;</P> <P>You can enable this feature, referred to as <I>TLS server identity discovery</I>, when you either:</P> <P>Associate an SSL policy with an access control policy</P> <P>Configure advanced settings for an access control policy</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>**Because the certificate is decrypted, TLS server identity discovery can reduce performance depending on the hardware platform.</P> <P>** TLS server identity discovery is not supported in inline tap mode or passive mode deployments.<BR />&nbsp;</P> <P>&nbsp;</P> <H2>Encrypted Visibility Engine</H2> <P>&nbsp;</P> <P><SPAN style="background-color:rgb(255,255,255);color:rgb(56,66,72);font-size:15px;">EVE is a new means of identifying client applications and processes utilizing TLS encryption. It enables visibility and allows administrators to take actions and enforce policy within their environments. EVE works by fingerprinting the Client Hello packet in the TLS handshake. By identifying specific application fingerprints in TLS session establishment, the system can identify the client process and take appropriate action (allow/block).</SPAN><BR />&nbsp;</P> <P>Ref : <A href="https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine" target="_blank">https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine</A>&nbsp;<BR /><BR /><SPAN style="font-size:inherit;"><STRONG>Deployment</STRONG></SPAN>.</P> <P>The GUI page lists the devices with out-of-date configurations having the pending status.</P> <P>The <SPAN style="font-size:inherit;"><STRONG>Inspect Interruption</STRONG></SPAN> column indicates if traffic inspection interruption may be caused in the device during deployment.</P> <P>See <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/policy_management.html#id_65425" target="_blank">Restart Warnings for the FTD Devices</A> for information to help you identify configurations that interrupt traffic inspection and might interrupt traffic when deployed to FTD devices.</P> <P>&nbsp;</P> <P>If the entry is blank in this column for a device, then it indicates that there will be no traffic inspection interruptions on that device during deployment.</P> <P>&nbsp;</P> <P>For both the features you can check the deployment details to make sure traffic interruption is not caused.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN style="background-color:rgb(255,255,255);color:rgb(24,24,24);font-size:14px;">-----------------------------------------</SPAN><BR /><SPAN style="background-color:rgb(255,255,255);color:rgb(24,24,24);font-size:14px;">If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.</SPAN><BR /><BR /><SPAN style="background-color:rgb(255,255,255);color:rgb(24,24,24);font-size:14px;">You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [</SPAN><A href="https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493" target="_blank">https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493</A><SPAN style="background-color:rgb(255,255,255);color:rgb(24,24,24);font-size:14px;">] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.</SPAN><BR /><SPAN style="background-color:rgb(255,255,255);color:rgb(24,24,24);font-size:14px;">-----------------------------------------</SPAN><BR /><BR /><BR />Regards,</P> <P>Divya Jain</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 28 Feb 2023 17:42:31 GMT https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4784277#M1098246 Divya Jain 2023-02-28T17:42:31Z https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4784297#M1098248 <P>Thanks. But is "TLS Server Identity Discovery" supported for the FTD running in transparent mode with interface inline pair (no tap)?</P> Tue, 28 Feb 2023 18:16:47 GMT https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4784297#M1098248 SIMMN 2023-02-28T18:16:47Z https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4788436#M1098418 <P>Hi,<BR /><BR />TLS server identity discovery is not supported in inline tap mode or passive mode deployments.<BR />ref link : <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/getting_started_with_access_control_policies.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/getting_started_with_access_control_policies.html</A>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,<BR />Divya Jain</P> Tue, 07 Mar 2023 07:15:19 GMT https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4788436#M1098418 Divya Jain 2023-03-07T07:15:19Z https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4863768#M1102089 <P>I don't use SSL policy. So I am wondering If i disable this feature, would that impact the URL categorization ?</P> Wed, 28 Jun 2023 10:04:32 GMT https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/4863768#M1102089 AminRamadan 2023-06-28T10:04:32Z https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/5254645#M1119212 <P><SPAN><EM>TLS Server Identity Discovery</EM> can have a painful effect until the&nbsp;<A href="https://bst.cisco.com/bugsearch/bug/CSCwj82736?rfs=qvlogin" target="_self">TLS 1.3 Hybridized Kyber Support bug</A> is resolved in FTD.</SPAN></P> <P><SPAN>See&nbsp;<A href="http://tldr.fail" target="_self">tldr.fail</A>&nbsp;page.</SPAN></P> Thu, 30 Jan 2025 09:18:55 GMT https://community.cisco.com/t5/network-security/quot-tls-server-identity-discovery-quot-and-quot-encrypted/m-p/5254645#M1119212 Peter Koltl 2025-01-30T09:18:55Z