You can use SSL decryption policies to turn encrypted traffic into plain text traffic, so that you can then apply URL filtering, intrusion and malware control, and other services that require deep packet inspection. If your policies allow the traffic, the traffic is re-encrypted before it leaves the device.
The SSL decryption policy applies to encrypted traffic only. No unencrypted connections are evaluated against SSL decryption rules.
Caution: Keep in mind that decrypting and then re-encrypting traffic adds a processing load on the device, which will reduce overall system performance.
Note: VPN tunnels are decrypted before the SSL decryption policy is evaluated, so the policy never applies to the tunnel itself. However, any encrypted connections within the tunnel are subject to evaluation by the SSL decryption policy.
The following procedure explains how to configure the SSL decryption policy. For an explanation of the end-to-end process of creating and managing SSL decryption, see How to Implement and Maintain the SSL Decryption Policy.
Before you begin
The SSL decryption rules table contains two sections:
- Identity Policy Active Authentication Rules—If you enable the identity policy and create rules that use active authentication, the system automatically creates the SSL decryption rules needed to make those policies work. These rules are always evaluated before the SSL decryption rules you create yourself. You can alter these rules only indirectly, by making changes to the identity policy.
- SSL Native Rules—These are rules that you have configured. You can add rules to this section only.
- Open the Devices & Services page.
- Select the device for which you want to create the SSL policy.
- Click Policy in the Management pane at the right.
- Click SSL Decryption in the policy bar.
- If you have not yet enabled the policy, click Enable SSL Decryption and configure policy settings, as described in Enable the SSL Decryption Policy.
- Configure the default action for the policy. The safest choice is Do Not Decrypt. For more information, see Configure the Default SSL Decryption Action section of the Security Policies chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running.
- Manage the SSL decryption policy.
After you configure SSL decryption settings, this page lists all rules in order. Rules are matched against traffic from top to bottom with the first match determining the action to apply. You can do the following from this page:
- To disable the policy, click the SSL Decryption Policy toggle. You can re-enable it by clicking Enable SSL Decryption.
- To edit policy settings, including the list of certificates used in the policy, click the configuration button on the SSL toolbar: . You can also download the certificate used with decrypt re-sign rules so that you can distribute it to clients. See the following sections of the Security Policies chapter in the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager of the version your device is running:
- Configure Certificates for Known Key and Re-Sign Decryption
- Downloading the CA Certificate for Decrypt Re-Sign Rules
- To configure rules:
- To create a new rule and log events it generates, click the blue plus button . See Configure SSL Decryption Rules.
- To edit an existing rule, click the rule in the rule table and click Edit in the Actions pane. You can also selectively edit a rule property by clicking on the property in the table.
- To delete a rule you no longer need, click the rule in the rule table and click Remove in the Actions pane.
- To move a rule, hover over it in the rule table. At the end of the row use the up and down arrows to move its position with the rule table.
- (Optional) For any rule that you created, you can select it and add a comment about it in the Add Comments field. To learn more about rule comments see, Adding Comments to Rules in FTD Policies and Rulesets.
- Continue to Enable the SSL Decryption Policy.