Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
901
Views
1
Helpful
5
Replies

Cisco FDM cant bypass SSL decryption for MS Azure

tomrogers793
Level 1
Level 1

ā€Ž06-05-2023 12:52 PM

Hi All,

I have set up SSL decryption for most traffic with a few exceptions and it is working well, however when trying to sign in from Azure CLI i am getting the following error:

HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /*tenant-name*.onmicrosoft.com/.well-known/openid-configuration 
(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

I tried to add Microsoft Azure to my SSL decrypt bypass rule and also added URL categories 'Cloud and Data Centres' and 'Saas and B2B' which portal.azure.com and login.microsoftonline are a part of, yet the sites are still being decrypted and i still get the error that it was unable to verify the SSL certificate from Azure CLI.

Has anyone managed to bypass decryption on Cisco FDM for Azure, or is this yet another thing FDM is unable to do?

5 Replies 5

MHM Cisco World
VIP
VIP

ā€Ž06-05-2023 01:00 PM

You add bypass' I think you need to clear conn and check again 

0 Helpful

tomrogers793
Level 1
Level 1

ā€Ž06-05-2023 01:33 PM

Thanks for the response, would clear xlate achieve the same thing

0 Helpful

MHM Cisco World
VIP
VIP
In response to tomrogers793

ā€Ž06-05-2023 01:42 PM

No you need clear conn

Clear conn address <ip>

Use address in command 

0 Helpful

tomrogers793
Level 1
Level 1

ā€Ž06-06-2023 04:18 AM

I tried to clear conn and it didnt have the desired effect, however i think i have a resolution and its not the cisco firepower thats the issue.

Resolution:

The SSL decryption certificate needed to be added to the CA Bundle certificate file C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem and make sure the system environment variable is set to that path

https://learn.microsoft.com/en-us/cli/azure/use-cli-effectively?tabs=bash%2Cbash2 see 'work behind a proxy section'

@MHM Cisco World Thanks for your help!

0 Helpful

MHM Cisco World
VIP
VIP
In response to tomrogers793

ā€Ž06-06-2023 04:26 AM

You bypass ssl decrypt so you dont need Cert.

Anyway if traffic must pass ssl decrypt then add Cert. And check

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card