cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


242
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

Firepower 4100 SSL features

Hi Team,

I´m working with some RFP questions.  The customer has implemented Firepower 4140 and they was waiting hardware acceleration support to implement SSL policies.

Now the customer launched a RFP to check if they configure SSL policies or work with another solution.

Please your help with the following questions:

- High Certificate Warnings:    For certificate reassign, how are warnings communicated to endpoints when an invalid certificate is detected?

- High Certificate Errors:     Should the SSL system connect to an SSL server with an invalid certificate, are there options to ignore and pass through the message to the endpoint or drop the connection based upon predefined configuration (e.g. ignore expired certificate warnings and pass warning to endpoint, block connections using self-signed certificates)?

- High Device Chaining:   Can the system send unencrypted traffic to multiple devices, both inline and passive, in a defined chain (e.g. inline NGIPS e inline advanced malware detection e passive DLP)?

- High Traffic Management:         Can the system send defined traffic (OSI layer 2/3/4/7) to different attached devices?

Thank in advance,

Everyone's tags (3)
1 REPLY 1
Contributor

Re: Firepower 4100 SSL features

Hi Gillermo Gonzalez,

If i understand your questions right:

1. When a certificate isn't trusted you will get a certificate warning as this: http://help.37signals.com/attachments/images/36/scaled/certificate%20error.png

You should beable to achive this with GPOs for almost all endpoint, please beaware that Firefox etc. will use cert-pinning soon, and SSL/TLS inspection won't be an option.

2. You can create rules based on the traffic and certificates. As far as i know its not an option to send the traffic decrypted to another unit - then you should put your FTD unit into IDS insted.

(Side remark, to enable Hardware Decryption: system support ssl-hw-offload enable in FXOS)