cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
3747
Views
0
Helpful
2
Replies

Firepower SSH decryption?

I understand that cisco Firepower decrypts SSL. But it does not have a seperate option for SSH decryption ( like PaloAlto). My question is.. does it decrypt it by in the same policy ( SSL decryption policy that is) or it does not ? 

2 Replies 2

Farhan Mohamed
Cisco Employee
Cisco Employee

As of the current FirePOWER software (Release 5.3.1), onboard SSL decryption for inspection of traffic is not supported. I've heard it may be coming in 5.4 (possibly later this quarter) but that's not yet available. When is is available, it will have a performance cost since line rate SSL decryption is computationally intensive.

So for now you would have to use a Cisco SSL appliance. They have purpose-built hardware for SSL decryption.

In either case, the inline device that's opening and inspecting the SSL traffic would need to have a special certificate that's allowed to issue child certificates and be trusted by all your clients. That typically means you need to have (or establish) an Enterprise PKI. 

Jawad Al Akrabawi
Cisco Employee
Cisco Employee

Firepower 5.4.1 and above is capable of doing SSL decryption, and the SSL decryption policy is way more granular with many different options.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Regards,

Jawad