Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
0
Helpful
2
Replies

firepower ssl decryption for server

ring zer0
Level 1
Level 1

‎07-27-2016 03:33 PM - edited ‎03-12-2019 06:05 AM

i have used ssl decryption on firewalls for url filtering and they are where users from inside wants to access internet resources, in this case we need to export a certificate and then install it to each client machine of the organization.

If the flow is opposite where a server is inside an organization and users from internet wants to access it. We need to enable some kind of protection like IPS or Malware on that server using firepower, how will this work. If i configure a ssl policy with this then the public users need to have the firepower certificate and since the user base is dynamic it is almost impossible to do this. Is there a way to still inspect SSL traffic where internet users are accessing our server.

If i am not mistaken this can be done by web application firewalls using ssl offloading technique but can this be done using asa firepower services?

Labels:
0 Helpful
2 Replies 2

Greg Smalley
Level 1
Level 1

‎07-27-2016 06:08 PM

For inbound decryption your server should have a certificate from a public certificate authority that is already trusted for the computers accessing your server (Like Thawte, GeoTrust etc.).  You will need to install the server certificate and key on the firepower appliance as well as the root CA cert.  Since your Internet users will already have the root CA cert installed, there is nothing they have to do.

-Smalley

0 Helpful

Chekol Retta
Level 1
Level 1
In response to Greg Smalley

‎01-31-2018 10:33 AM

@Greg Smalley wrote:

For inbound decryption your server should have a certificate from a public certificate authority that is already trusted for the computers accessing your server (Like Thawte, GeoTrust etc.).  You will need to install the server certificate and key on the firepower appliance as well as the root CA cert.  Since your Internet users will already have the root CA cert installed, there is nothing they have to do.

 

-Smalley

 Hi Smalley

Do we install the server cert and the key to the Firepower appliance or the the FMC? 

How about if we have a wildcard cert and we imported the cert and the key from one of the internal server and installed it to the Firepower system(appliance or FMC)? Is this acceptable by the all internal server that uses the wildcard cert? 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card