Hi,
I have a client with ASA 5515-X and CX module for URL filtering and AVC. All the users have dropbox or google drive and in this moment present synchronism issues; we can identify that the problem is on the decrypt policies; the user guide for ASA CX ver 9.3 indicate that this problems may occur and the solution is:
- Create objects that identify the destination of the traffic. For HTTPS, you can use URL objects; for other types of TLS traffic, use network objects.
- Create a decryption policy that uses the object as the destination and apply the Do Not Decrypt action. Ensure that the policy is higher in the policy set than any policies that would apply decryption processing on the same traffic.
source: http://www.cisco.com/c/en/us/td/docs/security/asacx/9-2/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_2/prsm-ug-cx-decryption.html#task_885A6AD45CE54E63ABDE9F771669EFE0
But the problem is when I try to create objects for bypass decryption policies, in CX the only objects types available in the decryption policies are:
- network object
- network object group
- CX network group
- URL object
- destionation object group
I use a network object with the FQDN dropbox.com, but this can’t be effective for bypass the encryption policy “decrypt everything”; obviously I can’t bypass based on application objects (it’s not available on the bypass objects options), what is the best option for discriminate the dropbox traffic on the decryption policies?
