Firepower 4100 SSL features

gugonza2 · ‎05-16-2018

Hi Team,

I´m working with some RFP questions. The customer has implemented Firepower 4140 and they was waiting hardware acceleration support to implement SSL policies.

Now the customer launched a RFP to check if they configure SSL policies or work with another solution.

Please your help with the following questions:

- High Certificate Warnings: For certificate reassign, how are warnings communicated to endpoints when an invalid certificate is detected?

- High Certificate Errors: Should the SSL system connect to an SSL server with an invalid certificate, are there options to ignore and pass through the message to the endpoint or drop the connection based upon predefined configuration (e.g. ignore expired certificate warnings and pass warning to endpoint, block connections using self-signed certificates)?

- High Device Chaining: Can the system send unencrypted traffic to multiple devices, both inline and passive, in a defined chain (e.g. inline NGIPS e inline advanced malware detection e passive DLP)?

- High Traffic Management: Can the system send defined traffic (OSI layer 2/3/4/7) to different attached devices?

Thank in advance,

Nikolaj Pabst · ‎05-29-2018

Hi Gillermo Gonzalez,

If i understand your questions right:

1. When a certificate isn't trusted you will get a certificate warning as this: http://help.37signals.com/attachments/images/36/scaled/certificate%20error.png

You should beable to achive this with GPOs for almost all endpoint, please beaware that Firefox etc. will use cert-pinning soon, and SSL/TLS inspection won't be an option.

2. You can create rules based on the traffic and certificates. As far as i know its not an option to send the traffic decrypted to another unit - then you should put your FTD unit into IDS insted.

(Side remark, to enable Hardware Decryption: system support ssl-hw-offload enable in FXOS)