Re: SSL inspection with FMC

ethutchinson · ‎12-30-2019

I found out recently my FMC's (6.4.0.4) URL filter was not catching HTTPS traffic (My Bad), So I started researching how to do this. I have downloaded the cert from my CA and I was about to install it and setup the SSL policy. Before I do this can I get some advantages (obvious) and disadvantages (performance?) to doing this? I know it looks pretty obvious but I wanted to know if I am missing something in my planning. I guess one of my major fears/concerns would be blocking a good site either internally or externally accessed. We have about 500 desktops and if I am going to wreck their days I want to know ahead of time.

Thanks

Rob Ingram · ‎12-30-2019

Hi,

The advantages to using SSL decryption is being able to determine what sites are being accessed and denying access - this could be malicious traffic, which you'd want to block. You are correct, enabling SSL decryption would have an impact on performance.

What hardware are you using?

And what is the bandwidth of your internet connection?

ethutchinson · ‎12-30-2019

ASA 5515x's with two 100mb shared connections

Rob Ingram · ‎12-30-2019

The screenshot below is from the Firepower Performance Estimator, set at 100Mb bandwidth with only the Base and SSL Decryption features enabled. The output indicates the performance of the different ASA models, except the 5515X so cannot estimate what the impact will be.