topic Re: SSL inspection with FMC in Network Security

SSL inspection with FMC

ethutchinson — Fri, 21 Feb 2020 17:48:07 GMT

I found out recently my FMC's (6.4.0.4) URL filter was not catching HTTPS traffic (My Bad), So I started researching how to do this. I have downloaded the cert from my CA and I was about to install it and setup the SSL policy. Before I do this can I get some advantages (obvious) and disadvantages (performance?) to doing this? I know it looks pretty obvious but I wanted to know if I am missing something in my planning. I guess one of my major fears/concerns would be blocking a good site either internally or externally accessed. We have about 500 desktops and if I am going to wreck their days I want to know ahead of time.

Thanks

Re: SSL inspection with FMC

Rob Ingram — Mon, 30 Dec 2019 17:19:22 GMT

Hi,

The advantages to using SSL decryption is being able to determine what sites are being accessed and denying access - this could be malicious traffic, which you'd want to block. You are correct, enabling SSL decryption would have an impact on performance.

What hardware are you using?

And what is the bandwidth of your internet connection?

Re: SSL inspection with FMC

ethutchinson — Mon, 30 Dec 2019 17:23:12 GMT

ASA 5515x's with two 100mb shared connections

Re: SSL inspection with FMC

Rob Ingram — Mon, 30 Dec 2019 17:46:18 GMT

The screenshot below is from the Firepower Performance Estimator, set at 100Mb bandwidth with only the Base and SSL Decryption features enabled. The output indicates the performance of the different ASA models, except the 5515X so cannot estimate what the impact will be.