11-03-2017 02:50 AM - edited 02-21-2020 06:38 AM
Hi all,
I am trying to get some answers on the request that I have. I have 200Mbit internet link burstable to 1Gbit, 90 users and manager said he wants to have ability to have report which site each user visited. Considering today most of the HTTP traffic is SSL in order to do this 1st I need to be able to decrypt incoming SSL connection on the edge (otherwise firewall can't get information from HTTP headers like hostname, thus firewall is not able to track sites visited right?). If my assumption is correct, assume you wan to black facebook and all subcategories there are application categories you can block for facebook but facebook uses SSL to protect their site so how can firewall block these without SSL decryption ? To have all security features enabled on the edge device (url filtring, file inspection, AMP, ssl decryption) is it correct to assume all ASA with Firepower devices take 90% performance hit, even the Firepower 2100 which I would need if all this is correct to support 200Mbit internet link correct ? Do I even need to decrypt incoming SSL traffic to be able to compile report of which sites each user visited.
Solved! Go to Solution.
11-09-2017 09:48 AM
I am trying to get some answers on the request that I have. I have 200Mbit internet link burstable to 1Gbit, 90 users and manager said he wants to have ability to have report which site each user visited.
(Do not forget to integrate your firewall with you SSO solution, ex. AD)
Considering today most of the HTTP traffic is SSL in order to do this 1st I need to be able to decrypt incoming SSL connection on the edge (otherwise firewall can't get information from HTTP headers like hostname, thus firewall is not able to track sites visited right?)
(If you does not open SSL connection you do not have all visibility for your report. Firepower will gives you alot of information but will miss some, best way is do ssl decryption)
If my assumption is correct, assume you wan to black facebook and all subcategories there are application categories you can block for facebook but facebook uses SSL to protect their site so how can firewall block these without SSL decryption ?
(URL FIlter will be able to block all http/https connection with explicity URL. But you can not do a policy with "microapplication" whithin SSL/TLS connection)
To have all security features enabled on the edge device (url filtring, file inspection, AMP, ssl decryption) is it correct to assume all ASA with Firepower devices take 90% performance hit, even the Firepower 2100 which I would need if all this is correct to support 200Mbit internet link correct ?
Firepower 2100 will support 200Mbits of SSL without problem. It has a special processors for this work. You will have problema with old version of Cisco firewall ( like ASA 5585/5555 ).
Do I even need to decrypt incoming SSL traffic to be able to compile report of which sites each user visited.
Yes and No. You can miss some information if you do not decrypt TLS/SSL. Dont forget to flag for log or you will not be able to get all information.
11-09-2017 09:48 AM
I am trying to get some answers on the request that I have. I have 200Mbit internet link burstable to 1Gbit, 90 users and manager said he wants to have ability to have report which site each user visited.
(Do not forget to integrate your firewall with you SSO solution, ex. AD)
Considering today most of the HTTP traffic is SSL in order to do this 1st I need to be able to decrypt incoming SSL connection on the edge (otherwise firewall can't get information from HTTP headers like hostname, thus firewall is not able to track sites visited right?)
(If you does not open SSL connection you do not have all visibility for your report. Firepower will gives you alot of information but will miss some, best way is do ssl decryption)
If my assumption is correct, assume you wan to black facebook and all subcategories there are application categories you can block for facebook but facebook uses SSL to protect their site so how can firewall block these without SSL decryption ?
(URL FIlter will be able to block all http/https connection with explicity URL. But you can not do a policy with "microapplication" whithin SSL/TLS connection)
To have all security features enabled on the edge device (url filtring, file inspection, AMP, ssl decryption) is it correct to assume all ASA with Firepower devices take 90% performance hit, even the Firepower 2100 which I would need if all this is correct to support 200Mbit internet link correct ?
Firepower 2100 will support 200Mbits of SSL without problem. It has a special processors for this work. You will have problema with old version of Cisco firewall ( like ASA 5585/5555 ).
Do I even need to decrypt incoming SSL traffic to be able to compile report of which sites each user visited.
Yes and No. You can miss some information if you do not decrypt TLS/SSL. Dont forget to flag for log or you will not be able to get all information.
11-09-2017 11:16 AM - edited 11-24-2017 11:26 AM
Thank you for your help! Your answers were very helpfull!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide