Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
120
Views
3
Helpful
4
Replies

How can firewalls inspect the payload of a packet with HTTPs?

Mitrixsen
Level 1
Level 1

‎02-21-2025 03:49 AM - edited ‎02-21-2025 03:51 AM

Hello, everyone.

A lot of resources say that firewalls can read more than just the traditional L3/L4 headers. They mention that they can read the L7 data and the payload itself. My question is, how exactly is this accomplished if the protocol that's being used is HTTPs? This means that the payload and the L7 data are encrypted, so the firewall shouldn't be able to decrypt it, or is there a workaround to this?

Thank you.

David

 

Labels:
4 Replies 4

marce1000
Hall of Fame
Hall of Fame

‎02-21-2025 03:58 AM

 

  - FYI : https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-ssl-decryption.html

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Kasun Bandara
VIP
VIP

‎02-21-2025 04:07 AM

@Mitrixsen hi, 

there is many methods used by different vendors. 

cisco have ETA - https://community.cisco.com/t5/security-knowledge-base/cisco-eta-feature-encrypted-traffic-analysis-at-glance/ta-p/4783197

generally all firewalls which support SSL inspection, do decrypt and re-encrypt the packet to inspect content flowing through the firewalls.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Rob Ingram
VIP
VIP

‎02-21-2025 04:28 AM

@Mitrixsen aside from the SSL decryption that has already been mentioned. The FTD software image (not ASA) supports EVE (Encrypted Visibility Engine), which works by fingerprinting the Client Hello packet in the TLS handshake and does not need to implement full main-in-the-middle (MITM) decryption. EVE uses the fingerprints to identify thousands of applicationts and even known malicious processes and can also be used to identify and stop malware. 

https://secure.cisco.com/secure-firewall/v7.2/docs/encrypted-visibility-engine

 

M02@rt37
VIP
VIP

‎02-21-2025 04:51 AM

David,

Modern firewalls can inspect L7 data, even in encrypted HTTPS traffic, through methods like SSL/TLS interception (Man in the Middle), which allows them to decrypt and inspect encrypted payloads. This process involves the firewall acting as a "man in the midle" between the client and server. It installs a trusted root certificate on the client, enabling it to decrypt traffic from the client, inspect the content, and then re-encrypt the traffic before forwarding it to the server. This way, the firewall can analyze the application layer data, detect threats, and apply policies based on the content of the encrypted traffic.

Another technique is SNI inspection, which allows firewalls to inspect the hostname in the TLS handshake without fully decrypting the payload. This is useful for making decisions based on destination URLs or blocking specific sites, even in encrypted sessions. While SSL/TLS interception is the most comprehensive method, it requires careful management of certificates and can introduce privacy concerns since the firewall can decrypt all traffic unless protections like perfect forward secrecy are in place...

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card