cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
2
Helpful
3
Replies

FTD URL Filtering unable to inspect https sites

KP6677
Beginner
Beginner

Looks URL filtering was enabled on a policy with different categories like Gambling blocked but unfortunately few of them are still accessible. I gone through some Cisco document, it's mentioned that https inspection for url filtering only works for main website and can't inspect child websites, for http inspection to work with url filtering do we need to enable SSL decryption ?  Can we install self signed certificate generated on FTD in user PC's and enable ssl decryption, what's difference if we have third party CA certificate for SSL decryption, any insights and any body did ssl decryption on FTD, also herd ssl decryption will utilize more cpu and memory, is it recommended to enable ssl decryption?

1 Accepted Solution

Accepted Solutions

URL filtering with HTTPS inspection can indeed block access to specific categories like Gambling, but it may not be 100% effective in blocking all related websites, especially if they are child websites or use different encryption methods. To improve the effectiveness of URL filtering with HTTPS inspection, you need to enable SSL decryption.

SSL decryption would require you to install a certificate on the Firepower Threat Defense (FTD) and on the user's devices. You can use a self-signed certificate generated on the FTD, but it is generally better to use a certificate from a trusted third-party Certificate Authority (CA). The main reason being that third-party CA certificates are already trusted by most devices and browsers, reducing the chances of security warnings or issues due to an untrusted certificate. Additionally, using a third-party CA certificate can help improve the overall security posture of your network and reduce the risk of man-in-the-middle attacks.

To enable SSL decryption on FTD, you should follow these steps:

1. Obtain a valid certificate from a trusted CA or generate a self-signed certificate on the FTD.
2. Install the certificate on the FTD and configure it for SSL decryption.
3. If using a self-signed certificate, distribute and install it on all user devices that need to be part of the SSL decryption process.
4. Create and apply a decryption policy on the FTD, specifying the traffic to be decrypted and the certificate to use for decryption.

It is true that enabling SSL decryption can increase CPU and memory usage on the FTD, as it needs to decrypt, inspect, and re-encrypt the traffic. However, this additional resource usage is generally acceptable and manageable, especially on modern FTD devices with adequate hardware resources. If you are concerned about resource usage, you can selectively decrypt only specific categories of traffic or specific user groups to minimize the impact on device performance.

In summary, enabling SSL decryption with URL filtering on FTD can improve the effectiveness of your network security measures and provide better visibility and control over encrypted traffic. It is recommended to use a trusted third-party CA certificate; however, you can also use a self-signed certificate if necessary. Keep in mind that enabling SSL decryption may consume additional resources on the FTD, but this can be managed through selective decryption policies.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

View solution in original post

3 Replies 3

URL filtering with HTTPS inspection can indeed block access to specific categories like Gambling, but it may not be 100% effective in blocking all related websites, especially if they are child websites or use different encryption methods. To improve the effectiveness of URL filtering with HTTPS inspection, you need to enable SSL decryption.

SSL decryption would require you to install a certificate on the Firepower Threat Defense (FTD) and on the user's devices. You can use a self-signed certificate generated on the FTD, but it is generally better to use a certificate from a trusted third-party Certificate Authority (CA). The main reason being that third-party CA certificates are already trusted by most devices and browsers, reducing the chances of security warnings or issues due to an untrusted certificate. Additionally, using a third-party CA certificate can help improve the overall security posture of your network and reduce the risk of man-in-the-middle attacks.

To enable SSL decryption on FTD, you should follow these steps:

1. Obtain a valid certificate from a trusted CA or generate a self-signed certificate on the FTD.
2. Install the certificate on the FTD and configure it for SSL decryption.
3. If using a self-signed certificate, distribute and install it on all user devices that need to be part of the SSL decryption process.
4. Create and apply a decryption policy on the FTD, specifying the traffic to be decrypted and the certificate to use for decryption.

It is true that enabling SSL decryption can increase CPU and memory usage on the FTD, as it needs to decrypt, inspect, and re-encrypt the traffic. However, this additional resource usage is generally acceptable and manageable, especially on modern FTD devices with adequate hardware resources. If you are concerned about resource usage, you can selectively decrypt only specific categories of traffic or specific user groups to minimize the impact on device performance.

In summary, enabling SSL decryption with URL filtering on FTD can improve the effectiveness of your network security measures and provide better visibility and control over encrypted traffic. It is recommended to use a trusted third-party CA certificate; however, you can also use a self-signed certificate if necessary. Keep in mind that enabling SSL decryption may consume additional resources on the FTD, but this can be managed through selective decryption policies.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

Yes we used url filtering but few of the child web sites aren’t working . I am now trying to enable ssl decryption but since it’s 1150 thinking can it handle the resources . Ameya’s thanks for your detailed elaboration .

Sure you need to enable SSL decryption, 
the traffic first decrypt then inspect as clear text (as http) 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: