Solved: Re: Do not decrypt bypass rule for domain

ryan14 · ‎01-17-2020

Is there a way to create a do not decrypt rule for a set of domains or FQDNs? I do not see a URL tab in the the SSL ACP. Running 6.4.0.4 fmc. Closest alternative is to either know the destination IPs or hope the application tab has a match.

Muhammad Awais Khan · ‎01-19-2020

Hi,

Did you try with a rule using DN and CN ? you can match CN or DC for the required website which you dont want to decrypt.

View solution in original post

Abheesh Kumar · ‎01-18-2020

Hi,

I think there is no option to create rule with FQDN either you need to know the FQDN resolvable IP, If you try creating FQDN in the SLL rule it will not display FQDN objects there. I think its a limitation that cisco need to address in feature releases.

HTH

Abheesh

Muhammad Awais Khan · ‎01-19-2020

Hi,

Did you try with a rule using DN and CN ? you can match CN or DC for the required website which you dont want to decrypt.

ryan14 · ‎01-20-2020

Hey guys,

Yeah so I tested adding a site to the subject DN and it didn't decrypt which is good. Does this also do subdomains or do you need to add an asterisk? I was under the impression firepower doesn't llike asterisk characters for wild card.

Muhammad Awais Khan · ‎01-20-2020

Hi,

* should be working fine. Infact they are using * in the snapshot I attached in previous comment.

ryan14 · ‎01-20-2020

Thanks just tested the asterisk and it did work.