Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
1
Helpful
3
Replies

Firepower SSL decrypt - What ?

Jon Are Endrerud
Level 3
Level 3

‎10-18-2023 04:50 AM

Hello Everyone

We have a fleet of FTD's and some ASA's that's being phased out. 

I have SSL decrypt working and have successfully tried all the functionality and it works as expected. But now I am wondering in networks with several thousand users and devices what is it worth to decrypt with security/maleware in mind ? Im also thinking that one must be carefull regarding CPU usage and so on.

Thanks in advance for any insight on this.

Please rate as helpful, if that would be the case. Thanx
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎10-18-2023 05:47 AM

It all depends on security requirement, if you like to go ahead and decrypt the traffic, you have stage level my monitoring the CPU level. (most of the model documentation show you what kind of traffic can handle those boxes) that is part of sizing guide.

you can also choose what site you like to decrypt and souce IP also.

tuning tips :

balajibandi_0-1697633250076.png

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎10-18-2023 06:51 AM

The traffic not immediately decrypt and not all traffic decrypt.

The traffic must pass prefilter and acp then white/blacklist before it decrypt.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-18-2023 12:06 PM - edited ‎02-28-2024 04:24 AM

It's rarely possible to decrypt outgoing traffic due to the need to decrypt and re-sign everything which requires having a Certificate Authority that all your user computers trust as a root / signing CA. Plus, even if you have that, may web sites and applications will not allow it due to things like HSTS and certificate pinning. There are better methods to protect your users and traffic.

Incoming traffic to servers you host is generally more amenable to decryption and is a good option since it allows you to see the plain text contents of traffic destined for your servers and more effectively scan for indications of compromise and attacks.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card