cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
480
Views
15
Helpful
12
Replies

TCP + SSL Session

Harmeet Singh
Beginner
Beginner

Hi,

I have a firewall with URL filtering enabled. SSL is also enable for this filtering. When client try to communicate with google.com (example), first it get IP of google from DNS and then start TCP 3 way handshake process. All communication go through firewall and client-server establish TCP connection. Now they start SSL handshake and establish that also. But when I check certificate detail after opening google page, it shows my firewall certificate. How does this happen.

As I know first TCP session does establish and then SSL. If TCP session does establish direst with google server then how does firewall certificate come in picture because SSL should also get establish with google server. How this all happen. Even I checked on wireshark also. i saw there that First TCP build with server and then TLS with same server IP. But certificate in browser was from my firewall. If TCP and SSL connection is with actual server IP only then how firewall certificate come in between.

Thanks. 

12 Replies 12

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Harmeet Singh sounds like your firewall is doing SSL decryption, so it is intercepting the SSL request and resigning with its own certificate. https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/getting_started_with_ssl_policies.html

 

Harmeet Singh
Beginner
Beginner

Hi Rob, appreciate your revert.

My query was not related to configuration. I want to understand the process how this happen.

MHM Cisco World
Advisor
Advisor

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214581-firepower-data-path-troubleshooting-phas.pdf

simple answer NGFW have SSL policy, what mean 
the FW be between the Client and Server, this way the FW have KEY/CIPHER for SSL to decrypt any SSL secure traffic pass though it.