topic Re: Secure FMC Policy Trace SSL Decryption? in Network Security

Secure FMC Policy Trace SSL Decryption?

davparker — Mon, 08 Jul 2024 16:36:11 GMT

I've got a weird issue. Per policy, I've got a list of categories/URLs for web sites to do not decrypt. In my SSL Policy I created rules for each classification so I can track which rule gets hit for DND. Every rule has logging enabled, even the Default action, do not decrypt. I test a web site from each category/rule to be sure it gets hit properly. I monitor using the Unified Events viewer. Some web sites never log the connection. Example, https://www.sec.gov never gets logged even though it is in a Gov't Law category. I'm not sure why none of the rules log the traffic, even the default rule, I was hoping I could figure out a method to policy trace the traffic flow to see which SSL Decryption rule applies. I tried packet-tracer but it doesn't seem to include this section of flow. Any help would be appreciated.

Thanks - David

Re: Secure FMC Policy Trace SSL Decryption?

Marvin Rhoads — Tue, 09 Jul 2024 07:33:27 GMT

You could try "system support firewall-engine-debug". Run that with the source and destination specified to see details on how the ACP and associated policies (IPS, SSL decrypt etc.) are handling a given flow.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html

Re: Secure FMC Policy Trace SSL Decryption?

davparker — Wed, 10 Jul 2024 20:31:37 GMT

Thanks, I may try that. Still trying to wrap my head around TLS1.3 and certificate pinning. Seems like all the missing log entries are for sites using TLS1.3 encryption. But I do see entries for some TLS 1.3 sites. I'm at 7.2x. I was reading that 7.3x has much improved EVE. That, and I very much like the fact you can save filters in the Unified Event Viewer.

Re: Secure FMC Policy Trace SSL Decryption?

MHM Cisco World — Wed, 10 Jul 2024 22:52:56 GMT

Hi friend

I try help here I dont have a lot ack

Tls 1.2 send sni not crypt and hence ftd can read it and hence run ssl policy

Tls 1.3 send sni encrypt so ONLY snort 3 and after you enable tls 1.3 decrypt option in advance tab of ssl policy after that ftd can read sni and run ssl policy

MHM

Re: Secure FMC Policy Trace SSL Decryption?

davparker — Thu, 11 Jul 2024 00:49:28 GMT

Thanks, yes, I do have that option set.I also have TLS Server Identity Discovery enabled on the ACP.

Re: Secure FMC Policy Trace SSL Decryption?

davparker — Thu, 11 Jul 2024 14:15:01 GMT

I'm beginning to suspect that the SSL Decrypt connection event log entries are generated for the first lookup but not subsequent requests. I had a test URL for DND I hadn't tried yet for the Federal Reserve. The first time I tried the URL it showed up in the connection log, including embedded URLs, and was decrypted, even though I had an SSL rule to DND with a wildcard DN specifying *.federalreserve.gov. Susbsequent visits to the site showed no log entries whatsoever, including those embedded URLs. Makes it tough to t-shoot an SSL Decryption policy without a full on debug.

Re: Secure FMC Policy Trace SSL Decryption?

davparker — Fri, 12 Jul 2024 13:14:59 GMT

I'm starting to lean towards this problem being a logging issue. Our FMC is an an external data center. I've git a TAC case open.

Re: Secure FMC Policy Trace SSL Decryption?

davparker — Fri, 12 Jul 2024 14:32:35 GMT

Still waiting on TAC but I can confirm I see the log entries on a syslog server. I then checked the Connections Events log and can see the events logged there. The Unified Events viewer seems to be the problem.

Re: Secure FMC Policy Trace SSL Decryption?

davparker — Thu, 25 Jul 2024 19:02:56 GMT

I do have a TAC case open. I was able to demonstrate the problem with the Unified Event viewer missing log data. Connection Events and Syslog data are fine. At the moment not depending on Unified Events viewer for troubleshooting.

Re: Secure FMC Policy Trace SSL Decryption?

MHM Cisco World — Thu, 25 Jul 2024 19:12:42 GMT

thanks a lot for update us

have a nice summer

MHM