Hi Marvin

Thanks for the answer, tomorrow in an webex i will do the configuration

regards

Ricardo Puga

Hello Ricardo,

Refer the following link to configure the SSL policy .

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Also you have to  disable the http2 traffic from the site since we have some issues with that .

Regards

Jetsy 

Ihave the same problem. Can you solve the Issue?

hi, today i was do the configuration the policies SSL with an certificate self signed for the Firepower but don't works

i do a policy SSL with decrypt resign and in the application was put : facebook video and facebook, when opened the chrome shows the certificate self signed this is correct, but not block the facebook videos

after i do other policy SSL for what facebook videos with the action: block with reset and one policy SSL for facebook aplication with action: Decrypt Resign, but not blocked it

the last try were do a policy of application control with the application : facebook comment, like, video but all not working

i attach the images of the configuration

Try using the SSL Policy with the Decrypt and Resign only as you have shown in your one example.

Then reference that SSL Policy in your Access Control Policy (ACP). It's in the ACP where you should have a rule to Block with Reset. 

Something like this:

Hi Marvin 

i did a policy SSL that Decrypt and Resign the application Facebook and in the ACP, i did an rule that block and reset the application Facebook Video, but not works

i attach images of the rules and logs of the connections

i hope that i yelpme

Regards

The way you have it now should be correct to my understanding.

Is it possible to open a TAC case to look at it in real time?

Hi Marvin,

Regarding this matter, is it possible to block any video posted in your FB wall using this FB micro app? or should it be possible only with videos sourced from FB?

Thanks in advanced

Hi Marvin, Thank you in advance for your expert guidance. It is always helpful. Florida has passed HB379, which prohibits students in k-12 from accessing social media on school networks. The issue is blocking social media apps on personally owned-mobile devices. I have an ACP rule blocking social media apps, but traffic still flows from that source. So I want to confirm that to block access to Facebook from devices using the mobile app, I need a decryption policy, then the app blocking feature will function. Is this correct? Also, will a SSL inspection / decryption create performance degredation ? I am using a pair of  FTD 4125 in HA config.

You can't really use a decryption policy for Facebook that will work with unmanaged devices. That's because every mobile device would need to trust the FTD's certificate when they try to go to FB.

This is better solved using URL Filtering which will prevent the DNS lookups. It can be further enhanced with a DNS rewrite rule that prevents users from using a different DNS instead and then another URL filtering rule that blocks DOH/DOT alternative DNS sites/addresses. Umbrella combined with FTD is usually the best combo for this functionality.