Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2480
Views
0
Helpful
10
Replies

Firepower SSL decryption doesnt work well

hacizeynal
Level 1
Level 1

‎02-03-2017 04:51 AM - edited ‎03-12-2019 06:16 AM

Hello ,I have configured FMC 6.2 with the Sensor 5525 ,configured SSL decryption ,when I access to https site i see my local certificate in my browser also can see it on logs that it was decrypted and resigned ! I want to allow facebook application but block facebook like or chat ,is that technically possible ? I cant find any documentation for that case !I will appreciate if anybody helps ! 

1 person had this problem
Labels:
0 Helpful
10 Replies 10

syeda3
Level 1
Level 1

‎02-03-2017 08:18 AM

You should be able to block these using an Access Control Policy.

When you search for Applications as a condition, you will see the list that you need. Here is the screenshot showing the same:

[[{"attributes":{},"fields":{}}]]

0 Helpful

syeda3
Level 1
Level 1
In response to syeda3

‎02-03-2017 08:31 AM

[[{"attributes":{},"fields":{}}]]

0 Helpful

hacizeynal
Level 1
Level 1
In response to syeda3

‎02-06-2017 01:57 AM

It did not work for me ,I am still able to like posts on Facebook and etc, but In events I see that actually it is Blocked !

0 Helpful

Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to hacizeynal

‎02-16-2017 01:13 PM

Could you provide with some screenshots of the events from the Table view of events?

0 Helpful

hacizeynal
Level 1
Level 1
In response to Claudiu Cismaru

‎02-17-2017 03:20 AM

Hi Claudiu ,

I have still issue on it ,although it shows in events that it is blocked it doesn't work ,i think it never works on Firepower or PaloAlto ,it is only possible to do it on Checkpoint :/ ,I am facing with another problem ,for example I have a department for Finance ,Youtube has been blocked ,one of user can access to it another one is not ? is it bug or something again ?

0 Helpful

jdworak14
Level 1
Level 1
In response to hacizeynal

‎05-18-2018 08:08 AM

Not sure if this is still being followed or updated, but i'm having similar frustration.
What i did notice with sites like YOUTUBE, Google Docs, Google Drive. In Firefox YOUTUBE will feed videos from a google site called 'c.docs.google.com' which is categorized as "Personal Storage". In IE it will come from a different site and categorized as "Streaming Media". if your ACL is blocking category "Personal Storage" then that is why some users may work and others not.... check the browser and compare their session with the Event logs.
When you say one user can access and another is blocked then verify the browser from both and see if Firefox/Chrome vs IE.
two cents...
0 Helpful

mlittleton
Level 1
Level 1

‎04-07-2017 01:59 AM

I am also have this issue. I have configured a SSL decryption. When I go to Facebook I can see that the decrption is working but I am still allowed to comment and like.

It looks like the micro application filtering does not work.

0 Helpful

Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to mlittleton

‎04-07-2017 02:08 AM

Could you provide with some screenshots of the events from the Table view of events for the ones you consider they should have been blocked?

0 Helpful

mlittleton
Level 1
Level 1
In response to Claudiu Cismaru

‎04-07-2017 03:03 AM

I have attached the following screen shots SSL, Policy and events.

In the policy I want to block  Facebook micro applications , Facebook messaging is blocked but all the rest of the application are not. 

Any help will be appreciated. I am on  6.1.0.2

Preview file
140 KB
Preview file
87 KB
Preview file
77 KB
0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to mlittleton

‎05-18-2018 08:34 AM

It seems that not all the facebook traffic is being decrypted and if the traffic is encrypted the firepower can't tell which microapp it is. If you specify an application that uses ssl in the decrypt policy it will never be decrypted.

Also there a couple of bugs opened for firepower recognizing facebook microapplications, for instance: CSCvh91548

 

HTH

Bogdan

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card