You can use SSL decryption policies to turn encrypted traffic into plain text traffic, so that you can then apply URL filtering, intrusion and malware control, and other services that require deep packet inspection. If your policies allow the traffic, the traffic is re-encrypted before it leaves the device.
The SSL decryption policy applies to encrypted traffic only. No unencrypted connections are evaluated against SSL decryption rules.
Unlike some other security policies, you need to monitor and actively maintain the SSL decryption policy, because certificates can expire or even be changed on destination servers. Additionally, changes in client software might alter your ability to decrypt certain connections, because the decrypt re-sign action is indistinguishable from a man-in-the-middle attack.
The following procedure explains the end-to-end process of implementing and maintaining the SSL decryption policy.
- If you will implement Decrypt Re-sign rules, create the required internal CA certificate.
You must use an internal Certificate Authority (CA) certificate. You have the following options. Because users must trust the certificate, either upload a certificate client browsers are already configured to trust, or ensure that the certificate you upload is added to the browser trust stores.
- Create a self-signed internal CA certificate, which is signed by the device itself. See Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager > Reusable Objects > Certificates > Generating Self-Signed Internal and Internal CA Certificates.
- Upload an internal CA certificate and key signed by an external trusted CA or by a CA inside your organization. See Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager > Reusable Objects > Certificates > Uploading Internal and Internal CA Certificates.
- If you will implement Decrypt Known Key rules, collect the certificate and key from each of the internal servers.
You can use Decrypt Known Key only with servers that you control, because you must obtain the certificate and key from the server. Upload these certificates and keys as internal certificates (not internal CA certificates). See Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager > Reusable Objects > Certificates > Uploading Internal and Internal CA Certificates.
- Enable the SSL Decryption Policy.
When you enable the policy, you also configure some basic settings.
- Configure the Default SSL Decryption Action.
If in doubt, select Do Not Decrypt as the default action. Your access control policy can still drop traffic that matches the default SSL decryption rule if appropriate.
- Configure SSL Decryption Rules.
Identify traffic to decrypt and the type of decryption to apply.
- If you configure known key decryption, edit the SSL decryption policy settings to include those certificates. See Configure Certificates for Known Key and Re-Sign Decryption.
- If necessary, download the CA certificate used for Decrypt Re-sign rules and upload it to the browser on client workstations.
For information on downloading the certificate and distributing it to clients, see Downloading the CA Certificate for Decrypt Re-Sign Rules.
- Periodically, update re-sign known key certificates.
- Re-sign certificate—Update this certificate before it expires. If you generate the certificate through Firepower Device Manager, it is valid for 5 years. To determine when a certificate expires, click the view icon for the certificate from the Objects page.
- Known-key certificate—For any known-key decryption rules, you need to ensure that you have uploaded the destination server’s current certificate and key. Whenever the certificate and key changes on supported servers, you must also upload the new certificate and key (as an internal certificate) and update the SSL decryption settings to use the new certificate.
- Upload missing trusted CA certificates for external servers.
The system includes a wide range of trusted CA root and intermediate certificates issued by third parties. These are needed when negotiating the connection between FTD and the destination servers for decrypt re-sign rules.
Upload all certificates within a root CA’s chain of trust to the list of trusted CA certificates, including the root CA certificate and all intermediate CA certificates. Otherwise, it is more difficult to detect trusted certificates issued by intermediate CAs. Upload certificates on the Objects > Certificates page. See See Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager > Reusable Objects > Certificates > Uploading Trusted CA Certificates.