Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
2
Helpful
3
Replies

FTD URL Filtering unable to inspect https sites

Go to solution
KP6677
Level 1
Level 1

‎06-06-2023 07:03 AM

Looks URL filtering was enabled on a policy with different categories like Gambling blocked but unfortunately few of them are still accessible. I gone through some Cisco document, it's mentioned that https inspection for url filtering only works for main website and can't inspect child websites, for http inspection to work with url filtering do we need to enable SSL decryption ?  Can we install self signed certificate generated on FTD in user PC's and enable ssl decryption, what's difference if we have third party CA certificate for SSL decryption, any insights and any body did ssl decryption on FTD, also herd ssl decryption will utilize more cpu and memory, is it recommended to enable ssl decryption?

1 Accepted Solution

Accepted Solutions

Go to solution
Cisco_Virtual_Engineer
Level 3
Level 3

‎06-13-2023 07:44 AM

URL filtering with HTTPS inspection can indeed block access to specific categories like Gambling, but it may not be 100% effective in blocking all related websites, especially if they are child websites or use different encryption methods. To improve the effectiveness of URL filtering with HTTPS inspection, you need to enable SSL decryption.

SSL decryption would require you to install a certificate on the Firepower Threat Defense (FTD) and on the user's devices. You can use a self-signed certificate generated on the FTD, but it is generally better to use a certificate from a trusted third-party Certificate Authority (CA). The main reason being that third-party CA certificates are already trusted by most devices and browsers, reducing the chances of security warnings or issues due to an untrusted certificate. Additionally, using a third-party CA certificate can help improve the overall security posture of your network and reduce the risk of man-in-the-middle attacks.

To enable SSL decryption on FTD, you should follow these steps:

1. Obtain a valid certificate from a trusted CA or generate a self-signed certificate on the FTD.
2. Install the certificate on the FTD and configure it for SSL decryption.
3. If using a self-signed certificate, distribute and install it on all user devices that need to be part of the SSL decryption process.
4. Create and apply a decryption policy on the FTD, specifying the traffic to be decrypted and the certificate to use for decryption.

It is true that enabling SSL decryption can increase CPU and memory usage on the FTD, as it needs to decrypt, inspect, and re-encrypt the traffic. However, this additional resource usage is generally acceptable and manageable, especially on modern FTD devices with adequate hardware resources. If you are concerned about resource usage, you can selectively decrypt only specific categories of traffic or specific user groups to minimize the impact on device performance.

In summary, enabling SSL decryption with URL filtering on FTD can improve the effectiveness of your network security measures and provide better visibility and control over encrypted traffic. It is recommended to use a trusted third-party CA certificate; however, you can also use a self-signed certificate if necessary. Keep in mind that enabling SSL decryption may consume additional resources on the FTD, but this can be managed through selective decryption policies.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

View solution in original post

3 Replies 3

Go to solution
Cisco_Virtual_Engineer
Level 3
Level 3

‎06-13-2023 07:44 AM

URL filtering with HTTPS inspection can indeed block access to specific categories like Gambling, but it may not be 100% effective in blocking all related websites, especially if they are child websites or use different encryption methods. To improve the effectiveness of URL filtering with HTTPS inspection, you need to enable SSL decryption.

SSL decryption would require you to install a certificate on the Firepower Threat Defense (FTD) and on the user's devices. You can use a self-signed certificate generated on the FTD, but it is generally better to use a certificate from a trusted third-party Certificate Authority (CA). The main reason being that third-party CA certificates are already trusted by most devices and browsers, reducing the chances of security warnings or issues due to an untrusted certificate. Additionally, using a third-party CA certificate can help improve the overall security posture of your network and reduce the risk of man-in-the-middle attacks.

To enable SSL decryption on FTD, you should follow these steps:

1. Obtain a valid certificate from a trusted CA or generate a self-signed certificate on the FTD.
2. Install the certificate on the FTD and configure it for SSL decryption.
3. If using a self-signed certificate, distribute and install it on all user devices that need to be part of the SSL decryption process.
4. Create and apply a decryption policy on the FTD, specifying the traffic to be decrypted and the certificate to use for decryption.

It is true that enabling SSL decryption can increase CPU and memory usage on the FTD, as it needs to decrypt, inspect, and re-encrypt the traffic. However, this additional resource usage is generally acceptable and manageable, especially on modern FTD devices with adequate hardware resources. If you are concerned about resource usage, you can selectively decrypt only specific categories of traffic or specific user groups to minimize the impact on device performance.

In summary, enabling SSL decryption with URL filtering on FTD can improve the effectiveness of your network security measures and provide better visibility and control over encrypted traffic. It is recommended to use a trusted third-party CA certificate; however, you can also use a self-signed certificate if necessary. Keep in mind that enabling SSL decryption may consume additional resources on the FTD, but this can be managed through selective decryption policies.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

Go to solution
KP6677
Level 1
Level 1
In response to Cisco_Virtual_Engineer

‎06-13-2023 11:18 AM

Yes we used url filtering but few of the child web sites aren’t working . I am now trying to enable ssl decryption but since it’s 1150 thinking can it handle the resources . Ameya’s thanks for your detailed elaboration .

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-13-2023 07:53 AM

Sure you need to enable SSL decryption, 
the traffic first decrypt then inspect as clear text (as http) 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card