Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
0
Helpful
3
Replies

AMP SSL decryption

ashleybabajee
Level 1
Level 1

‎07-03-2019 10:02 PM

Hi,

I have AMP for network on Firepower 2130, have configured file policy etc and have been using this site to test

https://www.eicar.org/?page_id=3950.

 

Http request are blocked by AMP, however https are not, we then configured ssl decryption, import certificate etc however it still doesnt work.

 

Any help or guide would be much appreciated.

 

Thanks

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-04-2019 07:42 AM

Have you confirmed your SSL decryption policy is working for the target page?

That said, decrypting SSL/TLS en masse to protect against malware is generally a dead end exercise. It's much more effective to protect on the endpoints using something like Cisco AMP for Endpoints.

0 Helpful

ashleybabajee
Level 1
Level 1
In response to Marvin Rhoads

‎07-04-2019 09:27 PM

Hi @Marvin Rhoads 

 

Yes, decryption works, i do get the page loaded with the certificate ,when i do http download it block the files, however for https it doesnt.

 

We already got AMP for network, so i guess we have to make it work and maybe later migrate to Endpoint ones.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ashleybabajee

‎07-06-2019 08:40 PM

Hmm SSL decryption definitely takes place prior to File analysis in the order of operations.  

Can you share a screenshot of your relevant ACP rule and associated file and SSL policies?

I wonder if you are hitting a bug. What Firepower version are you running by the way?

You may want to open a TAC case on this as it seems you have the right elements in place to make it work.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card