02-02-2023 12:59 AM
Hello,
We have a 4412x FTD device running version 7.2.1 and managed by a virtual FMC. We are using URL filtering for both a wireless guest network and for a school network. We are not doining any SSL decryption so the user will only get our custom block page when they are browsing HTTP pages, but now would like to be able to do this on SSL/HTTPS pages as well.
I'm looking for some advice on how to get this working.
Would it be enough to create a SSL policy on the FTD and then generate a self-signed certificate that we distribute to all the clients?
Anyone witch experience doing this directly on the FTD? Any drawbacks except for performance decrease?
I've seen people recomed using a separate box doining the SSL decryption, but if we have enough resources on the FTD, is there any other reasons to not do SSL decryption on the FTD? (At the moment the average load is only arround 15%)
Thanks
/Chess
02-02-2023 01:05 AM
4412 is good Model, 15% load is very small for these models, but you can enable SSL Decryption and Monitor the CPU, you can do start testing certail users is everything working before you deploy for other users? Hope you have AD usere authenticaiton against. below guide help you :
below video very helpfull :
02-02-2023 01:37 AM
Thanks for the advice and I'll have a look at the video later. Just one quick question. I was reading in this guide https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/ that we must use an internal CA server. We want to test this in the lab first, but we dont have a CA server there so I want to know if it's possible to use self-signed certificates from the FTD or if a CA server is a must for testing this?
Thanks
/Chess
02-02-2023 01:40 AM
@Chess Norris no you cannot use a normal self-signed identity certificate. You must use a sub CA certificate, this allows the FTD on the fly to create a certificate for the site you are blocking and spoofing the real website certificate. A normal certificate will not allow this, and a public CA will not provide you this type of certificate either.
02-02-2023 01:49 AM
Thanks Rob for confirming this.
/Chess
02-02-2023 01:47 AM
For Labing ok to test, for Real environment, i suggest to have CA(PKI) signed by your Corporate CA,
because FTD Intercept the https connection between Client and Web site,
you must read and understand the requirement how that works. so lets focus on reading the document , when you progressing any issue you can ask here or if you are not sure, suggest to contact any local cisco partner for consulting servcies to delivery this.
02-13-2023 06:25 AM - edited 02-13-2023 06:27 AM
I configured a SSL policy and tested this in my lab following this guide https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/
I created a CSR in the FMC and then used my CA to create a sub CA certificate for the FMC.
The policy itself is working and I could for example create a rule that blocked access to sites with expired or invalis certificates, so thats all good.
However I will get a certificate warning instead of the block page when trying to browse a HTTPS site that should be blocked by my URL filter.
I guess I need to install a client certificate in order for the client to trust the FTD, but there is no mention in the guide on how to install this certificate on the client.
Should this certificate be downloaded from the CA server and then imported to the client or should it be exported from the FMC?
Here's a screenshoot from the certificate warning, where the client see the FTD as the the certificate issues.
Thanks
/Chess
02-13-2023 06:42 AM
@Chess Norris the browser needs to trust the certificate, so import the CA certificate into the computer certificate store or depending on the browser, import into the certificate store.
Though isn't the certificate issued by your internal CA? so wouldn't that already be trusted by your browser?
02-13-2023 07:02 AM
Thanks. The client I used for test is not on the same domain as the CA so it doesn't know about the CA. I will try to download and install the certifcate manually.
/Chess
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide