Secure FMC Policy Trace SSL Decryption?

davparker · ‎07-08-2024

I've got a weird issue. Per policy, I've got a list of categories/URLs for web sites to do not decrypt. In my SSL Policy I created rules for each classification so I can track which rule gets hit for DND. Every rule has logging enabled, even the Default action, do not decrypt. I test a web site from each category/rule to be sure it gets hit properly. I monitor using the Unified Events viewer. Some web sites never log the connection. Example, https://www.sec.gov never gets logged even though it is in a Gov't Law category. I'm not sure why none of the rules log the traffic, even the default rule, I was hoping I could figure out a method to policy trace the traffic flow to see which SSL Decryption rule applies. I tried packet-tracer but it doesn't seem to include this section of flow. Any help would be appreciated.

Thanks - David

Marvin Rhoads · ‎07-09-2024

You could try "system support firewall-engine-debug". Run that with the source and destination specified to see details on how the ACP and associated policies (IPS, SSL decrypt etc.) are handling a given flow.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html

davparker · ‎07-10-2024

Thanks, I may try that. Still trying to wrap my head around TLS1.3 and certificate pinning. Seems like all the missing log entries are for sites using TLS1.3 encryption. But I do see entries for some TLS 1.3 sites. I'm at 7.2x. I was reading that 7.3x has much improved EVE. That, and I very much like the fact you can save filters in the Unified Event Viewer.

MHM Cisco World · ‎07-10-2024

Hi friend

I try help here I dont have a lot ack

So

Tls 1.2 send sni not crypt and hence ftd can read it and hence run ssl policy

Tls 1.3 send sni encrypt so ONLY snort 3 and after you enable tls 1.3 decrypt option in advance tab of ssl policy after that ftd can read sni and run ssl policy

MHM

davparker · ‎07-10-2024

Thanks, yes, I do have that option set.I also have TLS Server Identity Discovery enabled on the ACP.

davparker · ‎07-11-2024

I'm beginning to suspect that the SSL Decrypt connection event log entries are generated for the first lookup but not subsequent requests. I had a test URL for DND I hadn't tried yet for the Federal Reserve. The first time I tried the URL it showed up in the connection log, including embedded URLs, and was decrypted, even though I had an SSL rule to DND with a wildcard DN specifying *.federalreserve.gov. Susbsequent visits to the site showed no log entries whatsoever, including those embedded URLs. Makes it tough to t-shoot an SSL Decryption policy without a full on debug.

davparker · ‎07-12-2024

I'm starting to lean towards this problem being a logging issue. Our FMC is an an external data center. I've git a TAC case open.

davparker · ‎07-12-2024

Still waiting on TAC but I can confirm I see the log entries on a syslog server. I then checked the Connections Events log and can see the events logged there. The Unified Events viewer seems to be the problem.

davparker · ‎07-25-2024

I do have a TAC case open. I was able to demonstrate the problem with the Unified Event viewer missing log data. Connection Events and Syslog data are fine. At the moment not depending on Unified Events viewer for troubleshooting.

MHM Cisco World · ‎07-25-2024

thanks a lot for update us

have a nice summer

MHM