cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1293
Views
15
Helpful
8
Replies

URL filtering block page and SSL decryption

Chess Norris
Level 4
Level 4

Hello,


We have a 4412x FTD device running version 7.2.1 and managed by a virtual FMC. We are using URL filtering for both a wireless guest network and for a school network. We are not doining any SSL decryption so the user will only get our custom block page when they are browsing HTTP pages, but now would like to be able to do this on SSL/HTTPS pages as well.


I'm looking for some advice on how to get this working.


Would it be enough to create a SSL policy on the FTD and then generate a self-signed certificate that we distribute to all the clients?

Anyone witch experience doing this directly on the FTD? Any drawbacks except for performance decrease?

I've seen people recomed using a separate box doining the SSL decryption, but if we have enough resources on the  FTD, is there any other reasons to not do SSL decryption on the FTD? (At the moment the average load is only arround 15%)

Thanks

/Chess

 

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

4412 is good Model, 15% load is very small for these models, but you can enable SSL Decryption and Monitor the CPU, you can do start testing certail users is everything working before you deploy for other users? Hope you have AD usere authenticaiton against. below guide help you :

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html

below video very helpfull :

https://www.youtube.com/watch?v=HUEGbZML1xU

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Cisco Firepower Threat Defense doing SSL/TLS Decryption. In this video we will perform decryption using resign method, known key. We will build policies using AD integration and we will accommodate health and finance websites that should not be decrypted based on HR policy. Lots of testing ...

Thanks for the advice and I'll have a look at the video later. Just one quick question. I was reading in this guide https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/  that we must use an internal CA server. We want to test this in the lab first, but we dont have a CA server there so I want to know if it's possible to use self-signed certificates from the FTD or if a CA server is a must for testing this?

Thanks

/Chess 

@Chess Norris no you cannot use a normal self-signed identity certificate. You must use a sub CA certificate, this allows the FTD on the fly to create a certificate for the site you are blocking and spoofing the real website certificate. A normal certificate will not allow this, and a public CA will not provide you this type of certificate either.

Thanks Rob for confirming this.

/Chess 

For Labing ok to test, for Real environment, i suggest to have CA(PKI) signed by your Corporate CA,

because FTD Intercept the https connection between Client and Web site,

you must read and understand the requirement how that works. so lets focus on reading the document , when you progressing any issue you can ask here or if you are not sure, suggest to contact any local cisco partner for consulting servcies to delivery this.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Chess Norris
Level 4
Level 4

I configured a SSL policy and tested this in my lab following this guide  https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/ 

I created a CSR in the FMC and then used my CA to create a sub CA certificate for the FMC.

The policy itself is working and I could for example create a rule that blocked access to sites with expired or invalis certificates, so thats all good.

However I will get a certificate warning instead of the block page when trying to browse a HTTPS site that should be blocked by my URL filter. 

I guess I need to install a client certificate in order for the client to trust the FTD, but there is no mention in the guide on how to install this certificate on the client.

Should this certificate be downloaded from the CA server and then imported to the client or should it be exported from the FMC?

Here's a screenshoot from the certificate warning, where the client see the FTD as the the certificate issues.

2.JPG

Thanks

/Chess

@Chess Norris the browser needs to trust the certificate, so import the CA certificate into the computer certificate store or depending on the browser, import into the certificate store.

Though isn't the certificate issued by your internal CA? so wouldn't that already be trusted by your browser?

Thanks. The client I used for test is not on the same domain as the CA so it doesn't know about the CA. I will try to download and install the certifcate manually.

/Chess

Review Cisco Networking for a $25 gift card