"TLS Server Identity Discovery" and "Encrypted Visibility Engine"

SIMMN · ‎02-17-2023

A quick validation question: Will Enabling and Deploying "TLS Server Identity Discovery" and/or "Encrypted Visibility Engine" features in FMC/FTD be impactful for data traffic?

Will it matter if the FTD is in routed or transparent mode?

Divya Jain · ‎02-28-2023

Hello ,

TLS Server Identity Discovery

The latest version of the Transport Layer Security (TLS) protocol 1.3, defined by RFC 8446, is the preferred protocol for many web servers to provide secure communications. Because the TLS 1.3 protocol encrypts the server's certificate for additional security, and the certificate is needed to match application and URL filtering criteria in access control rules, the Firepower System provides a way to extract the server certificate without decrypting the entire packet.

You can enable this feature, referred to as TLS server identity discovery, when you either:

Associate an SSL policy with an access control policy

Configure advanced settings for an access control policy

**Because the certificate is decrypted, TLS server identity discovery can reduce performance depending on the hardware platform.

** TLS server identity discovery is not supported in inline tap mode or passive mode deployments.

Encrypted Visibility Engine

EVE is a new means of identifying client applications and processes utilizing TLS encryption. It enables visibility and allows administrators to take actions and enforce policy within their environments. EVE works by fingerprinting the Client Hello packet in the TLS handshake. By identifying specific application fingerprints in TLS session establishment, the system can identify the client process and take appropriate action (allow/block).

Ref : https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine

Deployment.

The GUI page lists the devices with out-of-date configurations having the pending status.

The Inspect Interruption column indicates if traffic inspection interruption may be caused in the device during deployment.

See Restart Warnings for the FTD Devices for information to help you identify configurations that interrupt traffic inspection and might interrupt traffic when deployed to FTD devices.

If the entry is blank in this column for a device, then it indicates that there will be no traffic inspection interruptions on that device during deployment.

For both the features you can check the deployment details to make sure traffic interruption is not caused.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards,

Divya Jain

SIMMN · ‎02-28-2023

Thanks. But is "TLS Server Identity Discovery" supported for the FTD running in transparent mode with interface inline pair (no tap)?

Divya Jain · ‎03-06-2023

Hi,

TLS server identity discovery is not supported in inline tap mode or passive mode deployments.
ref link : https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/getting_started_with_access_control_policies.html

Regards,
Divya Jain

AminRamadan · ‎06-28-2023

I don't use SSL policy. So I am wondering If i disable this feature, would that impact the URL categorization ?

Peter Koltl · ‎01-30-2025

TLS Server Identity Discovery can have a painful effect until the TLS 1.3 Hybridized Kyber Support bug is resolved in FTD.

See tldr.fail page.