cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
0
Helpful
4
Replies

Web SSL Inspection

Juraj Ban
Level 1
Level 1

Can ASA with FirePower services inspect SSL traffic or we need SSL inspection appliance.

How can ASA force Application Control for SSL. Let say, allow only reading of Social Networking while bloking upload/post if not be able to see inside SSL?

4 Replies 4

Puneesh Chhabra
Cisco Employee
Cisco Employee

ASA cannot block HTTPS

Firepower has an option of URL blocking that treats http and https as equal

You can go through it for more info:

 

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Rules-App-URL-Reputation.html#pgfId-1537119

 

Regards,

Puneesh

Please rate the helpful posts

Hi,

Thank you for answer.

But, then I’ll still have usual issues when there is no SSL interception like:

  • Block all destination that doesn’t have valid cert.
  • Cannot see inside HTTPS traffic for let say DLP or malware scanning
  • Cannot see inside HTTPS traffic for HTTP methods, you can only see HTTPS CONNECT method.
  • Block SSL, user cannot see error page because there is no SSL interception.  

So, for that we need SSL Appliance?

Yes, you'd require web application firewalls for all those.

 

Regards,

Puneesh

Please rate the helpful posts

Hi,

Adding on to what puneesh said , we can use DNS REGEX on the ASA device is the DNS queries are going through the ASA device and then block the HTTPS websites as well if only blocking is required and not looking in the SSL header is the required.

Thanks and Regards,

Vibhor Amrodia
 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: