Cisco FTD Inline Set SSL decryption support

SHABEEB KUNHIPOCKER · ‎08-19-2023

Hello,

We are planning to deploy a pair of FTD appliances for one of our customer. We will be running routed mode and will use inline sets for the connectivity. The customer wants to configure SSL decryption for both inbound (for published services) and outbound traffic (for user internet browsing). Please let me know whether there are any limitations for SSL decryption when we use inline sets.

Thanks

Shabeeb

marce1000 · ‎08-19-2023

- Check this document : https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎08-19-2023

adding to other comment- Make sure you sizing the hardware is correct depends on the traffic going in and out.

our case enabling the cache added more performance.

i suggest below good documents and understand the flows. (i used below guide to setup one)

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3063.pdf

https://www.youtube.com/watch?v=Ra52ulwoVvY

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SHABEEB KUNHIPOCKER · ‎08-20-2023

Thanks guys for the response. I have enabled SSL interception for FTDs with L3 interfaces in the past.

Actually in our current case our FTDs will not have L3 interfaces except the management interface. We will have only inline sets which are like bump-in-the-wire. So is there any issue in enabling SSL interception for outbound and inbound traffic?.

balaji.bandi · ‎08-23-2023

Actually in our current case our FTDs will not have L3 interfaces except the management interface. We will have only inline sets which are like bump-in-the-wire. So is there any issue in enabling SSL interception for outbound and inbound traffic?.

When it was Layer 3 configured is this working ? check the Guide lines for bump-in-the-wire (not that we have deployed - so no comments)

this is cisco community, if this is effecting your environment always reach TAC is best option.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SHABEEB KUNHIPOCKER · ‎08-23-2023

Any update on the above query Guys?

Marvin Rhoads · ‎08-23-2023

I can't find any reference in the configuration guide saying so, but I don't think SSL decryption will work with an inline set.

The firewall needs to act as a man in the middle and terminate the SSL session to inspect and then re-sign it. Since it is not in the path IP-wise it cannot do that.

SHABEEB KUNHIPOCKER · ‎08-23-2023

Hi Marvin,

I had the same doubt and that is the primary reason why I started the Thread. Anyway I am trying to check it internally with Cisco and get the confirmation. I will update once I get a response from them.

Thanks

Shabeeb