cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1545
Views
5
Helpful
5
Replies
Highlighted
Beginner

SSL decryption only on URL filtering blocked sites

Hi,

we made a URL filtering rule (to block some URL categories) and set HTTP response page. And it is working ok.

 

But in order to show users a response page when they are blocked accessing HTTPS site, SSL decryption needs to be activated (so manual says).

 

We decided not to use SSL decryption due to an impact to traffic speed, but nevertheless we would like HTTPS response page.

 

Is there an option to activate SSl decryption only on URLs that are in our URL filtering block rule?

As far as I understand if we block URL with URL filtering, it won't even come to SSL decryption part.

 

Thank you.

 

Br,

Dragan

5 REPLIES 5
Highlighted
Cisco Employee

Re: SSL decryption only on URL filtering blocked sites

Hi

 

SSL decryption has to configured to show block page for https sites.

SSL decryption would happen first and then the URL filtering rule would be applied. If you are concerned with performance. You can create a rule with specific URL categories (which are supposed to be blocked) in SSL policy to be decrypted and rest all goes to default rule which is to do not decrypt.

 

Thanks

yogesh

Highlighted
Beginner

Re: SSL decryption only on URL filtering blocked sites

Hi,

thanx for replying.

We did create a rule with specific URL categories (which are supposed to be blocked) in SSL policy to be decrypted and applied this SSL policy to main Access Control policy.

 

But decryption was applied to all users on the network and cuts our https traffic, even we put only one IP address of test PC inside networks inside SSl policy settings.

 

Br,

Dragan

Highlighted
Beginner

Re: SSL decryption only on URL filtering blocked sites

I'm interested in doing this too and have a ticket open with the TAC, but they cannot figure this out.  Do you know of any documentation or examples in doing this?

I have an ACL created today that blocks access to "Personal Storage", for example. 

 

Personal Storage sites (for example  http://box.com and https://www.box.com).  When you go to the http site i deliver a http block page.  Nice!

 

I then tried to add a SSL policy from my ACL policy and deploy but it will not deploy. My SSL policy is very simple and calls for re-sign of the cert using certs from our CA. 

I'm trying to find any documentation or examples from a working setup on how the SSL Policy should be setup.  The online documentation is horrible. 

Thanks for any feedback.

Highlighted
Beginner

Re: SSL decryption only on URL filtering blocked sites

Hi,

unfortunately I must agree with you regarding online documentation.

We are still not able to resolve this issue and still have only HTTP response set.

 

Br,

Dragan

Highlighted

Re: SSL decryption only on URL filtering blocked sites

We are facing the similar issue. Configured SSL decryption for the URL filtering of the https sites. But the behavior is very weird. The same user is able to open site-a using IE and getting blocked using Chrome. For few other sites, its vise versa. We are having a second thought if buying Firpower was wise decision.

 

Please advise.

 

Regards

Saif