Re: AMP SSL decryption

ashleybabajee · ‎07-03-2019

Hi,

I have AMP for network on Firepower 2130, have configured file policy etc and have been using this site to test

https://www.eicar.org/?page_id=3950.

Http request are blocked by AMP, however https are not, we then configured ssl decryption, import certificate etc however it still doesnt work.

Any help or guide would be much appreciated.

Thanks

Marvin Rhoads · ‎07-04-2019

Have you confirmed your SSL decryption policy is working for the target page?

That said, decrypting SSL/TLS en masse to protect against malware is generally a dead end exercise. It's much more effective to protect on the endpoints using something like Cisco AMP for Endpoints.

ashleybabajee · ‎07-04-2019

Hi @Marvin Rhoads

Yes, decryption works, i do get the page loaded with the certificate ,when i do http download it block the files, however for https it doesnt.

We already got AMP for network, so i guess we have to make it work and maybe later migrate to Endpoint ones.

Marvin Rhoads · ‎07-06-2019

Hmm SSL decryption definitely takes place prior to File analysis in the order of operations.

Can you share a screenshot of your relevant ACP rule and associated file and SSL policies?

I wonder if you are hitting a bug. What Firepower version are you running by the way?

You may want to open a TAC case on this as it seems you have the right elements in place to make it work.