cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1378
Views
0
Helpful
6
Replies

Firepower cant handle long HTTP request (SCEP request)

lyutov_dv
Level 1
Level 1

Hi!

I have a problem... We have A SCEP server behind firepower and i want to limit access to it from some networks only with specific URL (<server address>/certsrv/mscep/mscep.dll/pkiclient.exe&operation=). I want to do it to prevent connecting to admin part of SCEP server.

I created an access rule for this URL and it works when client is trying to recieve CA cert but it doesnt work to send SCEP request. I think it happens because it cant reassymbly long TCP or HTTP stream and it cant see the full URL. When i capture traffic i see what firepower blocks connection before client sends full request.

What TCP or HTTP parameters on firepower should i tune to avoid this behavior?

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

If you're trying to create an ACP that filters on an https URL you would need to decrypt and re-sign to fully parse the full URL (i.e. including the section following the top level domain (if using DNS) or server address).

 

URLs of up to 255 characters should be supported by default.