We are looking to migrate from ASA 5520 to a NGFW/IPS. We want to do SSL traffic inspection inbound. However, I am being told that the ASA5500-X series does not support the SSL traffic inspection as a feature so we would need a separate Firepower appliance to perform the SSL inspection. Is this correct? Please advise. Thanks
SSL decryption capability is evolving on the FirePOWER platforms.
Traditionally Sourcefire (and now Cisco) offered it on dedicated SSL appliances.
Version 5.4 of the FirePOWER software (released just last month) added the capability on the non-ASA dedicated sensors (FirePOWER 3D and AMP appliances).
Version 6.0 (due out later in 2015) will add the capability on the ASA FirePOWER service modules.
The ASA-based service modules (both software and SSP hardware modules) will not have the SSL decryption capability until version 6.0.
Both the software and SSP Firepower modules have the ability to perform SSL decryption with the release of Firepower 6.0. However you have to be cautious running it on the software modules since it does consume a bit of resources and you are going to take a large hit on the throughput, somewhere in the region of 50% to 70%. The hardware modules are better equipped to handle the processing and will take a considerable performance hit as well, but if you absolutely want to run SSL decryption on the software based modules I would open a TAC case and validate you configuration before implementing.
Yes, it is now supported in 6.0 on the FirePower modules. I would be careful though implementing it as there is a huge overhead on the module. What model ASA do you have and how many users would be going through it?
I would be very cautious about using the SSL decryption on the ASA. Even though it's not available, everyone that I have talked to at Cisco says it will crush the ASA. If this is a must, I would suggest using an Ironport WSA to decrypt the SSL traffic since they are purposed built for to decrypt URL traffic.