Solved: FMC SSL inspection

benolyndav · ‎03-16-2023

Hi

If we were doing SSL inspection using Decrypt-Re-Sign, in the logs would i see the FTD's IP address connecting to external sites and not the users IP address as I see now.?

Also I read theres an hit on the CPU when doing SSL inspection is this very noticeable.??

Thanks

Rob Ingram · ‎03-16-2023

@benolyndav it's been a while since I looked at SSL decryption on the FTD, but the FTD should only act as the MITM in regard to decrypting the traffic, the initator IP address in the logs should be the real IP address of the client computer. Have a look at the video - https://www.youtube.com/watch?v=tAIdcZ3EBiw

Yes there is a decent performance hit when decrypting traffic, IMO generally you would not decrypt every website. The exact performance of the FTD will also depend on what other features you are using as well as SSL decrypt. I suggest contacting your Cisco partner who can use the performance estimator and determine the expected performance, sorry I don't have access so I cannot do this for you.

View solution in original post

Rob Ingram · ‎03-16-2023

@benolyndav it's been a while since I looked at SSL decryption on the FTD, but the FTD should only act as the MITM in regard to decrypting the traffic, the initator IP address in the logs should be the real IP address of the client computer. Have a look at the video - https://www.youtube.com/watch?v=tAIdcZ3EBiw

Yes there is a decent performance hit when decrypting traffic, IMO generally you would not decrypt every website. The exact performance of the FTD will also depend on what other features you are using as well as SSL decrypt. I suggest contacting your Cisco partner who can use the performance estimator and determine the expected performance, sorry I don't have access so I cannot do this for you.

Marvin Rhoads · ‎03-16-2023

As @Rob Ingram surmised the FTD will NOT show up as an origination or destination of the connection. It does its part "invisibly" in that respect.

The performance hit is big for a given connection and that is why we almost never use the feature for outbound (to the Internet) traffic. In that use case you also have to have a CA and the certificate-issuing certificate on the FTD trusted by all your clients, some websites and application break, etc etc.

For incoming traffic to servers you host and have the certificate and private key, the feature is quite handy. Generally that's not a big proportion of your firewall's traffic so the performance hit for a small handful of servers is much more manageable.