Skip to main content

 

 

Cisco Defense Orchestrator

TLS Server Identity Discovery in Firepower Threat Defense

TLS 1.3 certificates are encrypted. For traffic encrypted with TLS 1.3 to match access rules that use application or URL filtering, the system must decrypt the TLS 1.3 certificate. We recommend that you enable TLS Server Identity Discovery to ensure encrypted connections are matched to the right access control rule. The setting decrypts the certificate only; the connection remains encrypted. Enabling this option is sufficient to decrypt TLS 1.3 certificates; you do not need to create a corresponding SSL decryption rule.

Note: Support for the Server Identity Discovery feature is limited to Version 6.7 and later. 

Enable the TLS Server Identity Discovery

Use the following procedure to enable, or disable, the TLS Server Identity Discovery feature for your FTD access control policies:

  1. Log into CDO. 
  2. Navigate to the Devices & Services page and select your FTD device. 
  3. In the Management pane located to the right, select Policy
  4. Click the Access Policy Settings gear icon AccessPolicySetting.jpg in the upper right corner of the table .
  5. Slide the toggle to enable TLS Server Identity Discovery.
  6. Click Save