cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
3
Helpful
9
Replies

Secure FMC Policy Trace SSL Decryption?

davparker
Level 1
Level 1

I've got a weird issue. Per policy, I've got a list of categories/URLs for web sites to do not decrypt. In my SSL Policy I created rules for each classification so I can track which rule gets hit for DND. Every rule has logging enabled, even the Default action, do not decrypt. I test a web site from each category/rule to be sure it gets hit properly. I monitor using the Unified Events viewer. Some web sites never log the connection. Example, https://www.sec.gov never gets logged even though it is in a Gov't Law category. I'm not sure why none of the rules log the traffic, even the default rule, I was hoping I could figure out a method to policy trace the traffic flow to see which SSL Decryption rule applies. I tried packet-tracer but it doesn't seem to include this section of flow. Any help would be appreciated.

Thanks - David

9 Replies 9

Marvin Rhoads
Hall of Fame
Hall of Fame

You could try "system support firewall-engine-debug". Run that with the source and destination specified to see details on how the ACP and associated policies (IPS, SSL decrypt etc.) are handling a given flow.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html

Thanks, I may try that. Still trying to wrap my head around TLS1.3 and certificate pinning. Seems like all the missing log entries are for sites using TLS1.3 encryption. But I do see entries for some TLS 1.3 sites. I'm at 7.2x. I was reading that 7.3x has much improved EVE. That, and I very much like the fact you can save filters in the Unified Event Viewer.

Hi friend 

I try help here I dont have a lot ack 

So 

Tls 1.2 send sni not crypt and hence ftd can read it and hence run ssl policy 

Tls 1.3 send sni encrypt so ONLY snort 3 and after you enable tls 1.3 decrypt option in advance tab of ssl policy after that ftd can read sni and run ssl policy 

MHM

Thanks, yes, I do have that option set.I also have TLS Server Identity Discovery enabled on the ACP.

davparker
Level 1
Level 1

I'm beginning to suspect that the SSL Decrypt connection event log entries are generated for the first lookup but not subsequent requests. I had a test URL for DND I hadn't tried yet for the Federal Reserve. The first time I tried the URL it showed up in the connection log, including embedded URLs, and was decrypted, even though I had an SSL rule to DND with a wildcard DN specifying *.federalreserve.gov. Susbsequent visits to the site showed no log entries whatsoever, including those embedded URLs. Makes it tough to t-shoot an SSL Decryption policy without a full on debug.

davparker
Level 1
Level 1

I'm starting to lean towards this problem being a logging issue. Our FMC is an an external data center. I've git a TAC case open.

davparker
Level 1
Level 1

Still waiting on TAC but I can confirm I see the log entries on a syslog server. I then checked the Connections Events log and can see the events logged there. The Unified Events viewer seems to be the problem.

davparker
Level 1
Level 1

I do have a TAC case open. I was able to demonstrate the problem with the Unified Event viewer missing log data. Connection Events and Syslog data are fine. At the moment not depending on Unified Events viewer for troubleshooting.

thanks a lot for update us

have a nice summer 

MHM

Review Cisco Networking for a $25 gift card