Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2823
Views
0
Helpful
4
Replies

"TLS Server Identity Discovery" and "Encrypted Visibility Engine"

m1xed0s
Spotlight
Spotlight

‎02-17-2023 12:44 PM - edited ‎02-17-2023 01:05 PM

A quick validation question: Will Enabling and Deploying "TLS Server Identity Discovery" and/or "Encrypted Visibility Engine" features in FMC/FTD be impactful for data traffic?

Will it matter if the FTD is in routed or transparent mode?

0 Helpful
4 Replies 4

Divya Jain
Cisco Employee
Cisco Employee

‎02-28-2023 09:42 AM

Hello ,


TLS Server Identity Discovery

 

The latest version of the Transport Layer Security (TLS) protocol 1.3, defined by RFC 8446, is the preferred protocol for many web servers to provide secure communications. Because the TLS 1.3 protocol encrypts the server's certificate for additional security, and the certificate is needed to match application and URL filtering criteria in access control rules, the Firepower System provides a way to extract the server certificate without decrypting the entire packet.

 

You can enable this feature, referred to as TLS server identity discovery, when you either:

Associate an SSL policy with an access control policy

Configure advanced settings for an access control policy

 

 

**Because the certificate is decrypted, TLS server identity discovery can reduce performance depending on the hardware platform.

** TLS server identity discovery is not supported in inline tap mode or passive mode deployments.
 

 

Encrypted Visibility Engine

 

EVE is a new means of identifying client applications and processes utilizing TLS encryption. It enables visibility and allows administrators to take actions and enforce policy within their environments. EVE works by fingerprinting the Client Hello packet in the TLS handshake. By identifying specific application fingerprints in TLS session establishment, the system can identify the client process and take appropriate action (allow/block).
 

Ref : https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine 

Deployment.

The GUI page lists the devices with out-of-date configurations having the pending status.

The Inspect Interruption column indicates if traffic inspection interruption may be caused in the device during deployment.

See Restart Warnings for the FTD Devices for information to help you identify configurations that interrupt traffic inspection and might interrupt traffic when deployed to FTD devices.

 

If the entry is blank in this column for a device, then it indicates that there will be no traffic inspection interruptions on that device during deployment.

 

For both the features you can check the deployment details to make sure traffic interruption is not caused.

 

 

 

 

 

 

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------


Regards,

Divya Jain

 

 

0 Helpful

m1xed0s
Spotlight
Spotlight
In response to Divya Jain

‎02-28-2023 10:09 AM - edited ‎02-28-2023 10:16 AM

Thanks. But is "TLS Server Identity Discovery" supported for the FTD running in transparent mode with interface inline pair (no tap)?

0 Helpful

Divya Jain
Cisco Employee
Cisco Employee
In response to m1xed0s

‎03-06-2023 11:15 PM

Hi,

TLS server identity discovery is not supported in inline tap mode or passive mode deployments.
ref link : https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/getting_started_with_access_control_policies.html 

 

 

Regards,
Divya Jain

0 Helpful

AminRamadan
Level 1
Level 1
In response to Divya Jain

‎06-28-2023 03:04 AM

I don't use SSL policy. So I am wondering If i disable this feature, would that impact the URL categorization ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card