cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2159
Views
0
Helpful
8
Replies
PATRICK HARRIS
Enthusiast

Cisco ASA/Firepower - NGFW/IPS

We are looking to migrate from ASA 5520 to a NGFW/IPS. We want to do SSL traffic inspection inbound. However, I am being told that the ASA5500-X series does not support the SSL traffic inspection as a feature so we would need a separate Firepower appliance to perform the SSL inspection. Is this correct? Please advise. Thanks

8 REPLIES 8
Marvin Rhoads
VIP Community Legend

SSL decryption capability is evolving on the FirePOWER platforms.

Traditionally Sourcefire (and now Cisco) offered it on dedicated SSL appliances.

Version 5.4 of the FirePOWER software (released just last month) added the capability on the non-ASA dedicated sensors (FirePOWER 3D and AMP appliances).

Version 6.0 (due out later in 2015) will add the capability on the ASA FirePOWER service modules.

So is it supported on the ASA5585x with the firepower ssp module?

No.

The ASA-based service modules (both software and SSP hardware modules) will not have the SSL decryption capability until version 6.0.

Since 6.0 is out now, do the SFR modules support SSL Decrpytion?  I've yet to find a clear answer on this.

Both the software and SSP Firepower modules have the ability to perform SSL decryption with the release of Firepower 6.0. However you have to be cautious running it on the software modules since it does consume a bit of resources and you are going to take a large hit on the throughput, somewhere in the region of 50% to 70%. The hardware modules are better equipped to handle the processing and will take a considerable performance hit as well, but if you absolutely want to run SSL decryption on the software based modules I would open a TAC case and validate you configuration before implementing.

Thanks guys!  Thats exactly what I needed.

Yes, it is now supported in 6.0 on the FirePower modules.  I would be careful though implementing it as there is a huge overhead on the module.  What model ASA do you have and how many users would be going through it?

deyster94
Contributor

I would be very cautious about using the SSL decryption on the ASA.  Even though it's not available, everyone that I have talked to at Cisco says it will crush the ASA.  If this is a must, I would suggest using an Ironport WSA to decrypt the SSL traffic since they are purposed built for to decrypt URL traffic.