URL filtering with HTTPS inspection can indeed block access to specific categories like Gambling, but it may not be 100% effective in blocking all related websites, especially if they are child websites or use different encryption methods. To improve the effectiveness of URL filtering with HTTPS inspection, you need to enable SSL decryption.
SSL decryption would require you to install a certificate on the Firepower Threat Defense (FTD) and on the user's devices. You can use a self-signed certificate generated on the FTD, but it is generally better to use a certificate from a trusted third-party Certificate Authority (CA). The main reason being that third-party CA certificates are already trusted by most devices and browsers, reducing the chances of security warnings or issues due to an untrusted certificate. Additionally, using a third-party CA certificate can help improve the overall security posture of your network and reduce the risk of man-in-the-middle attacks.
To enable SSL decryption on FTD, you should follow these steps:
1. Obtain a valid certificate from a trusted CA or generate a self-signed certificate on the FTD.
2. Install the certificate on the FTD and configure it for SSL decryption.
3. If using a self-signed certificate, distribute and install it on all user devices that need to be part of the SSL decryption process.
4. Create and apply a decryption policy on the FTD, specifying the traffic to be decrypted and the certificate to use for decryption.
It is true that enabling SSL decryption can increase CPU and memory usage on the FTD, as it needs to decrypt, inspect, and re-encrypt the traffic. However, this additional resource usage is generally acceptable and manageable, especially on modern FTD devices with adequate hardware resources. If you are concerned about resource usage, you can selectively decrypt only specific categories of traffic or specific user groups to minimize the impact on device performance.
In summary, enabling SSL decryption with URL filtering on FTD can improve the effectiveness of your network security measures and provide better visibility and control over encrypted traffic. It is recommended to use a trusted third-party CA certificate; however, you can also use a self-signed certificate if necessary. Keep in mind that enabling SSL decryption may consume additional resources on the FTD, but this can be managed through selective decryption policies.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.