https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787572#M991651 <P>I is common knowledge/best practise to do SSL encryption/decryption on a separate box in your DMZ, back in the day, it was called "SSL offloading". all customers i support run this on a F5 Big IP (or radware box)</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 24 Jan 2019 21:08:39 GMT Dennis Mink 2019-01-24T21:08:39Z https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787229#M991639 <P>I would like to see if there is any document which has the cons of ssl inspection of firepower module.</P> <P>Like the effect on resource usage like memory, processing power on the firewall</P> Tue, 12 Mar 2019 14:15:01 GMT https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787229#M991639 Arshad Safrulla 2019-03-12T14:15:01Z https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787233#M991641 <P>we have 5555-X series with firepower SFR we were very intersted to do the SSL decryption but later the recommendation came from cisco if you looking for SSL decryption that use WSA or FTD bigger box.</P><P>&nbsp;</P><P>so long story short if its production network stay out of it, if in the lab purpose yes go and try it.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp; here is a link</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-firepower-services/200577-Configure-the-SSL-decryption-on-FirePOWE.pdf" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-firepower-services/200577-Configure-the-SSL-decryption-on-FirePOWE.pdf</A></P><P>&nbsp;</P><P><A href="https://routemypacket.blogspot.com/2017/11/ssl-decryption-with-cisco-firepower.html" target="_blank">https://routemypacket.blogspot.com/2017/11/ssl-decryption-with-cisco-firepower.html</A></P><P>&nbsp;</P><P><A href="https://www.a10networks.com/resources/articles/ssl-inspection-decryption-cisco-asa-firepower" target="_blank">https://www.a10networks.com/resources/articles/ssl-inspection-decryption-cisco-asa-firepower</A></P> Thu, 24 Jan 2019 13:33:40 GMT https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787233#M991641 Sheraz.Salim 2019-01-24T13:33:40Z https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787397#M991643 <P>Thank you. But I am looking for a cisco documentation which at least says that it is a resource intensive task.</P> Thu, 24 Jan 2019 16:09:41 GMT https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787397#M991643 Arshad Safrulla 2019-01-24T16:09:41Z https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787412#M991646 <P>I never came across where Cisco said it’s a resource incentive.&nbsp;</P><P>But runnning in lab environment personally and after even Cisco TAC recommendation is not run ssl decrying on ASA with sfr as it’s spikes the cpu.&nbsp;</P><P>This is from the experience even though if you want to try and don’t believe than what else can be say.</P><P>ssl decrying work good with FTD 9300 for sure</P> Thu, 24 Jan 2019 16:22:42 GMT https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787412#M991646 Sheraz.Salim 2019-01-24T16:22:42Z https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787417#M991648 Thank You once again. I am looking at a 5525-X box with AMP, IPS enabled and on top of this will be doing SSL decryption.<BR />There are around 400 users behind the network with around 15 IPSEC tunnels terminated in the box.<BR />I want a reason to convince my management not to do SSL inspection on the same box.<BR /> Thu, 24 Jan 2019 16:26:57 GMT https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787417#M991648 Arshad Safrulla 2019-01-24T16:26:57Z https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787420#M991649 <P>Check this link in regards to throughout with IPS and NGIPS</P><P><SPAN><A href="https://www.cisco.com/c/dam/global/th_th/assets/docs/seminar/ASA5500_X.pdf" target="_blank">https://www.cisco.com/c/dam/global/th_th/assets/docs/seminar/ASA5500_X.pdf</A></SPAN></P> Thu, 24 Jan 2019 16:31:54 GMT https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787420#M991649 Sheraz.Salim 2019-01-24T16:31:54Z https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787572#M991651 <P>I is common knowledge/best practise to do SSL encryption/decryption on a separate box in your DMZ, back in the day, it was called "SSL offloading". all customers i support run this on a F5 Big IP (or radware box)</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 24 Jan 2019 21:08:39 GMT https://community.cisco.com/t5/network-security/ssl-inspection-on-cisco-asa/m-p/3787572#M991651 Dennis Mink 2019-01-24T21:08:39Z