cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
311
Views
0
Helpful
4
Replies
Highlighted
Beginner

Web SSL Inspection

Can ASA with FirePower services inspect SSL traffic or we need SSL inspection appliance.

How can ASA force Application Control for SSL. Let say, allow only reading of Social Networking while bloking upload/post if not be able to see inside SSL?

4 REPLIES 4
Highlighted
Cisco Employee

ASA cannot block

ASA cannot block HTTPS

Firepower has an option of URL blocking that treats http and https as equal

You can go through it for more info:

 

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Rules-App-URL-Reputation.html#pgfId-1537119

 

Regards,

Puneesh

Please rate the helpful posts

Highlighted
Beginner

Hi,Thank you for answer.But,

Hi,

Thank you for answer.

But, then I’ll still have usual issues when there is no SSL interception like:

  • Block all destination that doesn’t have valid cert.
  • Cannot see inside HTTPS traffic for let say DLP or malware scanning
  • Cannot see inside HTTPS traffic for HTTP methods, you can only see HTTPS CONNECT method.
  • Block SSL, user cannot see error page because there is no SSL interception.  

So, for that we need SSL Appliance?

Highlighted
Cisco Employee

Yes, you'd require web

Yes, you'd require web application firewalls for all those.

 

Regards,

Puneesh

Please rate the helpful posts

Highlighted
Cisco Employee

Hi,Adding on to what puneesh

Hi,

Adding on to what puneesh said , we can use DNS REGEX on the ASA device is the DNS queries are going through the ASA device and then block the HTTPS websites as well if only blocking is required and not looking in the SSL header is the required.

Thanks and Regards,

Vibhor Amrodia