https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908348#M1103599 <P>Hello,</P> <P>We are planning to deploy a pair of FTD appliances for one of our customer. We will be running routed mode and will use inline sets for the connectivity. The customer wants to configure SSL decryption for both inbound (for published services) and outbound traffic (for user internet browsing). Please let me know whether there are any limitations for SSL decryption when we use inline sets.</P> <P>Thanks</P> <P>Shabeeb</P> Sun, 20 Aug 2023 03:22:08 GMT SHABEEB KUNHIPOCKER 2023-08-20T03:22:08Z https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908348#M1103599 <P>Hello,</P> <P>We are planning to deploy a pair of FTD appliances for one of our customer. We will be running routed mode and will use inline sets for the connectivity. The customer wants to configure SSL decryption for both inbound (for published services) and outbound traffic (for user internet browsing). Please let me know whether there are any limitations for SSL decryption when we use inline sets.</P> <P>Thanks</P> <P>Shabeeb</P> Sun, 20 Aug 2023 03:22:08 GMT https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908348#M1103599 SHABEEB KUNHIPOCKER 2023-08-20T03:22:08Z https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908368#M1103600 <P>&nbsp;</P> <P>&nbsp;- Check this document :&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html</A></P> <P>&nbsp;M.</P> Sun, 20 Aug 2023 06:15:00 GMT https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908368#M1103600 Mark Elsen 2023-08-20T06:15:00Z https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908378#M1103603 <P>adding to other comment- Make sure you sizing the hardware is correct depends on the traffic going in and out.</P> <P>our case enabling the cache added more performance.</P> <P>i suggest below good documents and understand the flows. (i used below guide to setup one)</P> <P><A href="https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3063.pdf" target="_blank">https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3063.pdf</A></P> <P><A href="https://www.youtube.com/watch?v=Ra52ulwoVvY" target="_blank">https://www.youtube.com/watch?v=Ra52ulwoVvY</A></P> <P>&nbsp;</P> Sun, 20 Aug 2023 06:48:43 GMT https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908378#M1103603 balaji.bandi 2023-08-20T06:48:43Z https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908463#M1103619 <P>Thanks guys for the response. I have enabled SSL interception for FTDs with L3 interfaces in the past.</P> <P>Actually in our current case our FTDs will not have L3 interfaces except the management interface. We will have only inline sets which are like bump-in-the-wire. So is there any issue in enabling SSL interception for outbound and inbound traffic?.</P> Sun, 20 Aug 2023 15:35:11 GMT https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4908463#M1103619 SHABEEB KUNHIPOCKER 2023-08-20T15:35:11Z https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4910615#M1103730 <P>Any update on the above query Guys?</P> Wed, 23 Aug 2023 12:14:25 GMT https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4910615#M1103730 SHABEEB KUNHIPOCKER 2023-08-23T12:14:25Z https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4910658#M1103735 <LI-CODE lang="markup">Actually in our current case our FTDs will not have L3 interfaces except the management interface. We will have only inline sets which are like bump-in-the-wire. So is there any issue in enabling SSL interception for outbound and inbound traffic?.</LI-CODE> <P>When it was Layer 3 configured is this working ?&nbsp; check the Guide lines for bump-in-the-wire (not that we have deployed - so no comments)</P> <P>this is cisco community, if this is effecting your environment always reach TAC is best option.</P> Wed, 23 Aug 2023 13:38:38 GMT https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4910658#M1103735 balaji.bandi 2023-08-23T13:38:38Z https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4910718#M1103748 <P>I can't find any reference in the configuration guide saying so, but I don't think SSL decryption will work with an inline set.</P> <P>The firewall needs to act as a man in the middle and terminate the SSL session to inspect and then re-sign it. Since it is not in the path IP-wise it cannot do that.</P> Wed, 23 Aug 2023 15:21:11 GMT https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4910718#M1103748 Marvin Rhoads 2023-08-23T15:21:11Z https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4910739#M1103752 <P>Hi Marvin,</P> <P>I had the same doubt and that is the primary reason why I started the Thread. Anyway I am trying to check it internally with Cisco and get the confirmation. I will update once I get a response from them.</P> <P>Thanks</P> <P>Shabeeb</P> Wed, 23 Aug 2023 15:51:05 GMT https://community.cisco.com/t5/network-security/cisco-ftd-inline-set-ssl-decryption-support/m-p/4910739#M1103752 SHABEEB KUNHIPOCKER 2023-08-23T15:51:05Z