04-28-2020 05:49 AM
I'm having a problem with a SSL Policy, which I use to analyze SMTPS traffic with a Firepower sensor managed by FMC. I have my own mail server inside my LAN, so I want to analyze incoming SMTPS traffic with the Decrypt (Known Key) method, as I own the private key.
I have successfully configured and deployed the policy, and I'm actually being able to decrypt and analyze mail traffic in search of malware (which is the main purpose of this). The problem is that I'm also blocking a lot, perhaps most, of connections.
When I check the Table View of Connection Events, I can see the Reason is SSL Block. In the SSL Flow Error column it says "CLIENT_CERT_NOT_SUPPORTED (0xb000346b)", and in SSL Flow Flags it says it's undecryptable.
Unfortunately, in the policy configuration I can't allow the undecryptable traffic. I can either block or block with reset. The only way to solve this issue by the moment was to create a Do Not Decrypt rule specifying the Initiator IP addresses. Interesting fact, for the certain IP addresses, sometimes it blocks and sometimes it decrypts successfuly.
Can anyone give a hand with this? Thank you.
04-29-2020 05:09 PM
05-05-2020 08:22 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide