07-27-2016 02:47 AM - edited 03-12-2019 06:05 AM
Hi,
Now, i am testing ASA firepower SSL inspection with 6.0. I configured CA as FSMC, SSL policy, Access control rules. Then i can go to https://www.google.com, https://www.cisco.com or other https website. But, i am facing the problem with other https site like (gmail, facebook). I can't go to those website. how can do that ? Please help me. I have attached some screenshot. Thanks.
07-27-2016 09:43 AM
Most likely your computer doesn't trust FSMC CA. Firefox maintains it's own Trusted CA list where as most of the other browsers get their trusted CA list from the OS. Make sure you import the FSMC CA into your trusted certificate store via the Microsoft Certificate snap-in and trusted CA store in Firefox.
Also Chrome will prevent man in the middle certificates to google websites. If you use chrome you will need to make an exception to not decrypt google websites: google.com, gmail.com, youtube.com.
-Smalley
07-27-2016 11:33 PM
Hi Greg,
Thanks. I already tried like that. It is OK. But, we can't able to import certificate on every PC or laptop in the live network. Right ? We can have 100 or 1000 users in our network. So, how can i do that to automatically import from Firewall to clients. We would like to also block FB chat, post, comment or others. How can we do that ? I already tried to block chat, post. It is not working on version 6.0.
07-28-2016 06:09 AM
On a network you would typically use Group Policy to disperse the needed certificate into the Trusted certificate store. If you are using FireFox you would need to use something like PoilicyPak as FireFox doesn't natively use the Microsoft Cert store.
07-28-2016 06:24 PM
Thanks again. How about your idea to block FB chat, post or other social messaging app with cisco firepower? Actually, it can not block ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide