Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5821
Views
5
Helpful
6
Replies

SSL inspection on Cisco ASA

Arshad Safrulla
VIP Alumni
VIP Alumni

‎01-24-2019 05:24 AM - edited ‎03-12-2019 07:15 AM

I would like to see if there is any document which has the cons of ssl inspection of firepower module.

Like the effect on resource usage like memory, processing power on the firewall

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Labels:
0 Helpful
6 Replies 6

Sheraz.Salim
VIP Alumni
VIP Alumni

‎01-24-2019 05:32 AM - edited ‎01-24-2019 05:33 AM

we have 5555-X series with firepower SFR we were very intersted to do the SSL decryption but later the recommendation came from cisco if you looking for SSL decryption that use WSA or FTD bigger box.

 

so long story short if its production network stay out of it, if in the lab purpose yes go and try it. 

 

 

  here is a link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-firepower-services/200577-Configure-the-SSL-decryption-on-FirePOWE.pdf

 

https://routemypacket.blogspot.com/2017/11/ssl-decryption-with-cisco-firepower.html

 

https://www.a10networks.com/resources/articles/ssl-inspection-decryption-cisco-asa-firepower

please do not forget to rate.

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to Sheraz.Salim

‎01-24-2019 08:09 AM

Thank you. But I am looking for a cisco documentation which at least says that it is a resource intensive task.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to Arshad Safrulla

‎01-24-2019 08:22 AM

I never came across where Cisco said it’s a resource incentive. 

But runnning in lab environment personally and after even Cisco TAC recommendation is not run ssl decrying on ASA with sfr as it’s spikes the cpu. 

This is from the experience even though if you want to try and don’t believe than what else can be say.

ssl decrying work good with FTD 9300 for sure

please do not forget to rate.
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to Sheraz.Salim

‎01-24-2019 08:26 AM

Thank You once again. I am looking at a 5525-X box with AMP, IPS enabled and on top of this will be doing SSL decryption.
There are around 400 users behind the network with around 15 IPSEC tunnels terminated in the box.
I want a reason to convince my management not to do SSL inspection on the same box.
___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to Arshad Safrulla

‎01-24-2019 08:31 AM

Check this link in regards to throughout with IPS and NGIPS

https://www.cisco.com/c/dam/global/th_th/assets/docs/seminar/ASA5500_X.pdf

please do not forget to rate.
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to Arshad Safrulla

‎01-24-2019 01:07 PM - edited ‎01-24-2019 01:08 PM

I is common knowledge/best practise to do SSL encryption/decryption on a separate box in your DMZ, back in the day, it was called "SSL offloading". all customers i support run this on a F5 Big IP (or radware box)

 

 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Review Cisco Networking for a $25 gift card
Top