Solved: SSL Decrypting only search engine bound traffic

tsiemers1 · ‎09-26-2016

In the new release of FirePower 6.1 you can enable SafeSearch to restrict results of searches. The only problem is that you have to use SSL,

6.1 release notes

It should be noted that SSL decryption policies must be configured for both of these features to work, especially because most search engines are now using SSL encryption.

We recently had SSL decryption turned on and it was crashing the FirePower modules. We were told by TAC that the 5545 with the modules couldn't handle the amount of SSL decryption we were doing. So in the end we really didn't see a need to keep doing SSL decryption because of the performance lost.

"SafeSearch" is one feature as an education institution that we need to have turned on. Is their a way to just send search engine bound traffic through SSL policy for decryption and "do not decrypt" all other traffic?

Marvin Rhoads · ‎09-26-2016

Yes. It is generally recommended that an SSL decryption policy be restricted to the sites you really need to decrypt for just the reason you encountered.

We would do this in your example by using an application rule in the SSL Policy.

Config Guide Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/Decryption_Tuning_Using_SSL_Rules.html#ID-2255-00000027

Screenshot of example (open in new tab to zoom):

View solution in original post

Marvin Rhoads · ‎09-26-2016

Yes. It is generally recommended that an SSL decryption policy be restricted to the sites you really need to decrypt for just the reason you encountered.

We would do this in your example by using an application rule in the SSL Policy.

Config Guide Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/Decryption_Tuning_Using_SSL_Rules.html#ID-2255-00000027

Screenshot of example (open in new tab to zoom):