Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
6
Helpful
8
Replies

FMC Enable SSL Decryption Impact and Creating Key and Certificate

Go to solution
kentwirianata
Level 1
Level 1

‎03-06-2025 01:19 AM

Hello,
I'm trying to add SSL for Decrypt incoming packet from external to internal web server. Is there any impact if i want to execute this?

also I'm trying to create certificate and keys for SSL Decryption, but how do i create it? also do i put it into 'Internal Certs'?

kentwirianata_0-1741250886210.png

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kentwirianata

‎03-11-2025 06:27 AM

@kentwirianata I was answering earlier for the use case of outgoing traffic.

For incoming traffic to your own web server as you mentioned in your original post, the certificate and key you would use is the same one in use on the web server. In that case, your SSL Decryption policy would only affect that one server and no other traffic through the firewall is affected. You would not do a CSR in that case since you are decrypting with a known private key and certificate.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kentwirianata

‎03-12-2025 05:17 AM

Any new connection to the server specified in the SSL policy will be affected. Existing tcp connections for the SSL/TLS traffic will not be affected.

As with any production configuration change, you should always make the change within an approved maintenance window while understanding the potential impact and having a plan to revert if things do not go as planned.

View solution in original post

8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-06-2025 08:06 AM - edited ‎03-06-2025 08:08 AM

Yes, it would use an internal cert. 

The end-to-end process is explained in detail here: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/encrypted-traffic-overview.html#how-to-configure-decryption-policies-and-rules

Once you have the internal cert in place, you can follow the wizard as described here:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/decryption-policies.html#Cisco_Task_in_List_GUI.dita_f48db076-8088-4dd8-b542-3dd1a4b9bb57

Re impact, traffic to the target server will be decrypted and inspected and then re-signed. It could affect traffic to the server, especially if not done correctly. So, it is recommended you schedule a maintenance window and test thoroughly once you deploy the changes.

Go to solution
kentwirianata
Level 1
Level 1
In response to Marvin Rhoads

‎03-10-2025 06:25 PM - edited ‎03-10-2025 07:49 PM

Thanks for the reply @Marvin Rhoads @nspasov ,
So i'm trying to import the certificate created in OpenSSL into FMC PKI->internal certs and in gives this error 

kentwirianata_0-1741656072210.png

Based on this link https://community.cisco.com/t5/network-security/cant-import-a-trusted-certificate-to-firepower/td-p/3381291 someone said that user can't use a public certificate for that and have to either generate the certificate on FMC and distribute it to all clients, or generate a CSR on the FMC and get a cert from your own trusted CA with a certificate-server template.

I'm not familiar with this, can you tell me, if you know where to generate a CSR and KEY on the FMC?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kentwirianata

‎03-10-2025 08:27 PM

The link was included in the section I mentioned earlier. Specifically for the CSR, see here:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/decryption-policies.html#Cisco_Task_in_List_GUI.dita_e5f30d7a-7fd1-4358-ad81-78eea166777c

Most importantly, the Certificate Authority (CA) you use to issue the certificate used for decryption must be using a subordinate CA template. That is, the issued certificate must be capable of generating and issuing its own certificates as needed to decrypt the outbound traffic and inspect it prior to re-encrypting and sending it on the destination server. Your clients must trust those certificates since the FTD is acting as a "man in the middle" for the flow.

Go to solution
kentwirianata
Level 1
Level 1
In response to Marvin Rhoads

‎03-11-2025 12:56 AM

So if i enable the SSL Decryption, it will also impact to our existing traffic?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kentwirianata

‎03-11-2025 06:27 AM

@kentwirianata I was answering earlier for the use case of outgoing traffic.

For incoming traffic to your own web server as you mentioned in your original post, the certificate and key you would use is the same one in use on the web server. In that case, your SSL Decryption policy would only affect that one server and no other traffic through the firewall is affected. You would not do a CSR in that case since you are decrypting with a known private key and certificate.

Go to solution
kentwirianata
Level 1
Level 1
In response to Marvin Rhoads

‎03-11-2025 07:04 AM - edited ‎03-11-2025 07:25 AM

Thanks for reply @Marvin Rhoads , 

Oh yes you did mention it. what i mean is, Does the traffic that FMC already received from Web Server (old received traffic) is also impacted or only new incoming traffic that got impacted if I enable the certificate and SSL Policy? 

Because i need to know the what kind of impact that you mentioned "It could affect traffic to the server, especially if not done correctly"

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kentwirianata

‎03-12-2025 05:17 AM

Any new connection to the server specified in the SSL policy will be affected. Existing tcp connections for the SSL/TLS traffic will not be affected.

As with any production configuration change, you should always make the change within an approved maintenance window while understanding the potential impact and having a plan to revert if things do not go as planned.

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎03-06-2025 11:56 AM

In addition to Marvin's excellent input, I would like to add performing decryption/encryption of TLS traffic can have an impact on your firewall appliance. Hardware appliances with crypto hardware would perform a lot better than let's say a virtual appliance where the decryption/encryption would be done in software. As a result, you should consult the data sheets and/or a technical resource from Cisco or a Cisco partner. 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card