Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
7064
Views
10
Helpful
6
Replies

Can firewall decrypt SSL or other encrypted traffic ?

Go to solution
kyisoethin
Level 1
Level 1

ā€Ž04-24-2017 06:13 AM - edited ā€Ž03-12-2019 02:15 AM

Hi 

I want to know if firewall can decrypt encrypted traffic.

If so, which firewall can do so.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

ā€Ž04-24-2017 06:28 AM

Hi kyisoethin,

No, Cisco ASA's have ability to decrypt encrypted traffic but Cisco ASA 5500-x series firewall with firepower modules has the ability to decrypt and inspect the SSL traffic. Follow the link for more information.

https://www.a10networks.com/blog/ssl-inspection-decryption-cisco-asa-firepower

But other vendors firewalls like PALO ALTO can do. Follow the link for more information.

https://www.paloaltonetworks.com/features/decryption

If this is helpful, please give it a thumbs up.

Spooster IT Services Team

View solution in original post

Go to solution
Mohammed al Baqari
Level 11
Level 11

ā€Ž04-24-2017 06:35 AM

Hi,

Ordinary firewalls which perform firewalling functions only such as ASA can deycrpt IPSec traffic only which is encrypted. SSL can't be decrypted with ordinary firewalls. 

The next Gen firewalls can decrypt ssl traffic and intercept it. This needs lot of processing power which isn't present in ordinary firewalls.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Spooster IT Services
Level 7
Level 7

ā€Ž04-24-2017 06:28 AM

Hi kyisoethin,

No, Cisco ASA's have ability to decrypt encrypted traffic but Cisco ASA 5500-x series firewall with firepower modules has the ability to decrypt and inspect the SSL traffic. Follow the link for more information.

https://www.a10networks.com/blog/ssl-inspection-decryption-cisco-asa-firepower

But other vendors firewalls like PALO ALTO can do. Follow the link for more information.

https://www.paloaltonetworks.com/features/decryption

If this is helpful, please give it a thumbs up.

Spooster IT Services Team

Go to solution
kyisoethin
Level 1
Level 1
In response to Spooster IT Services

ā€Ž04-24-2017 08:02 PM

Thank you for your annswer.

I have more question about it.

If firewall can decrypt Ipsec or ssl, how can this be ?

How do they get decryption encryption key ?

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to kyisoethin

ā€Ž04-24-2017 09:56 PM

For IPSec, the common deployment is using Pre-Shared key which needs to be configured at both firewall ends. This is the key used conceptually to encrypt/decrypt. You can look for exact way of encryption/decryption as IPSec IKEv1 goes through phase 1 and phase 2. During this negotiation, it will extract the actual encryption key, authentication key and nounce. 

For SSL, it is based on cryptography. The user will authenticate the firewall certificate using its trusted root CA. After successful verification, they will use public key/private key to exchange session-key which will be used during the session life for encryption/decryption. This is the case for client and client-less.

You can lookup more online to get the details about how this happens as its lengthy process

0 Helpful

Go to solution
kyisoethin
Level 1
Level 1
In response to Mohammed al Baqari

ā€Ž04-25-2017 07:22 AM

Thank.

I get it.

For SSL, I think firewall proxy the communcation. It send client its own certificate and client verifies it.After then, firewall create SSL connection to the other client.So there are two SSL connection.

Am I right?

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to kyisoethin

ā€Ž04-25-2017 07:23 AM

Correct.

Spooster IT Services Team

Go to solution
Mohammed al Baqari
Level 11
Level 11

ā€Ž04-24-2017 06:35 AM

Hi,

Ordinary firewalls which perform firewalling functions only such as ASA can deycrpt IPSec traffic only which is encrypted. SSL can't be decrypted with ordinary firewalls. 

The next Gen firewalls can decrypt ssl traffic and intercept it. This needs lot of processing power which isn't present in ordinary firewalls.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card