Cisco FTD - Block all SSL traffic from a specific host

JH8286 · ‎12-04-2023

I am trying to create a policy that blocks all SSL traffic to/from a particular host. I am using https curl to the host from a test client to prove this.

I have tried adding an SSL policy which has the host and test client (both are in src/dst) with all the other filters set to 'any' and an action of Block with reset. The default policy action is do not decrypt as I do not want to interfere with other tfc just this specific use case.

Access policy using application 'HTTPS' also does not match. The only way I have successfully blocked tfc. is using dst. port tcp/443 but obviously this is easily circumvented with a port change.

Can anyone help advise? Thanks

MHM Cisco World · ‎12-04-2023

Ftd must detect encrypt data how it detects it

Using port

Or use app (used cloud or use database).

So in your case you use port not app.

MHM

JH8286 · ‎12-04-2023

Hmm OK, I don't want it to decrypt any traffic, I just want it to block ALL SSL of any kind, from a specific host - can the FTD not detect encrypted tfc. or the SSL handshake CLIENT HELLO etc. without actually decrypting?

MHM Cisco World · ‎12-08-2023

Source/Destination Criteria for SSL Decryption Rules
The default is any zone, address, geographical location, and any TCP port. TCP is the only protocol matched to SSL decryption rules.
Screenshot (573).png

Application Criteria for SSL Decryption Rules
The default is any application that has the SSL Protocol tag.
Screenshot (574).png

URL Criteria for SSL Decryption Rules
User Criteria for SSL Decryption Rules
Advanced Criteria for SSL Decryption Rules

after all above which one is simple, sure it Src/Des & TCP Port

all HTTPS is TCP but not all TCP is HTTP

MHM