10-14-2015 05:51 AM - edited 03-12-2019 05:47 AM
We have a pair of ASA 5525 with sourcefire enabled. I'm tasked with blocking access to some websites capable of file uploads like facebook or linked in. The issue I'm having is sites using http:// get the block response page. SSL sites using the https:// time out eventually then display page cannot be displayed.
So the sourcefire is doing it's job blocking access to restricted sites but the concern is that users will get page cannot be displayed and cause in influx of unnecessary calls to our helpdesk thinking the internet access is down...
I've scoured the user guide but there doesn't seem to be an obvious answer how to get the SSL sites to display the block response page. If anyone knows the fix for this please do share I'd be greatly appreciative. Thanks
Solved! Go to Solution.
02-24-2017 07:38 AM
Nothing in special. Just use a Decrypt with Resign policy.
02-24-2017 07:52 AM
As Claudiu mentioned, the key here is to decrypt the traffic first. For that you need to have an SSL Policy, this can found under Polcies>Access Contro> SSL. Key things to have in mind when deciding to decrypt SSL traffic:
- There some web apps who DO NOT LIKE you decrypting the traffic. (i.e. Office 365). It is key that you add the respective SSL polices to Not Decrypt this traffic. You can use certificates CNs to white-list the traffic. O365 is just an example, you will need to observe your network so you know which applications will need to be white-listed
- I would recommend to only decrypt traffic of interest and not all traffic. The more decryption/resigning you have going on, the bigger the hit on performance. I wouldn't go too crazy if you are just running a 5506.
- Be sure you have distributed the firewall's Certificate to your clients (computers, servers) before you put an SSL policy in play.
Once you create SSL policy, you need to assign it to your Access Control Policy. When you open your Policy you will see on the top an option that says "SSL Policy:" here you can assign the policy you just created.
Lastly, a lot can go wrong with SSL decryption if not done right. Although I have done on a few appliances, I always run tests on each environment before production.
06-22-2017 04:41 AM
We have created an SSL Policy that matches interesting traffic utilizing the decrypt-resign action. A corresponding Access Control Policy blocking the interesting traffic with an HTTP responder has also created.
When browsing to an SSL/HTTPS site using Internet Explorer, the site is properly blocked and we receive the HTTP response page.
However, when using Chrome/Firefox browsers, the page does not properly inject. Each browser complains about HTTP Strict Transport Security (HSTS)
Anyone else running into this issue? Any fixes?
06-27-2017 10:56 AM
If the webpage uses HSTS I do not think that you will be able to "fix" this.
It is working as intended.
09-06-2021 08:31 AM
As long as SSL Decryption is running, then yes, you can display a block response for HTTPS websites.
However, for HSTS websites, SSL Decryption can't work, because it's basically viewed as a "Man In The Middle" attack.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide