History for Decryption Policy


Feature	Minimum Management Center	Minimum Threat Defense	Details
Easily bypass decryption for sensitive and undecryptable traffic.	20240808	7.6.0	It is now easier to bypass decryption for sensitive and undecryptable traffic, which protects users and improves performance. New decryption policies now include predefined rules that, if enabled, can automatically bypass decryption for sensitive URL categories (such as finance or medical), undecryptable distinguished names, and undecryptable applications. Distinguished names and applications are undecryptable typically because they use TLS/SSL certificate pinning, which is itself not decryptable. For outbound decryption, you enable/disable these rules as part of creating the policy. For inbound decryption, the rules are disabled by default. After the policy is created, you can edit, reorder, or delete the rules entirely. New/modified screens: Policies > Access Control > Decryption > Create Decryption Policy See: Create a Decryption Policy
Decryption policy.	20221213	7.3.0	Feature renamed to decryption policy to better reflect what it does. We now enable you to configure a decryption policy with one or more Decrypt - Resign or Decrypt - Known Key rules at the same time. New/modified screens: Policies > Access Control > Decryption(create new decryption policy) The Create Decryption Policy dialog box now has two tab pages: Outbound Connections and Inbound Connections. Use the Outbound Connections tab page to configure one or more decryption rules with a Decrypt - Resign rule action. (You can either upload or generate certificate authorities at the same time). Each combination of a CA with networks and ports results in one decryption rule. Use the Inbound Connections tab page to configure one or more decryption rules with a Decrypt - Known Key rule action. (You can upload your server's certificate at the same time.) Each combination of a server certificate with networks and ports results in one decryption rule. Policies > Access Control > Decryption (edit a decryption rule) > Advanced Settings has new options discussed in TLS 1.3 Decryption Best Practices. Policies > Access Control > (edit an access control policy), click the word Decryption to associate a decryption policy with an access control policy.
TLS 1.3 decryption.	20220609	7.2.0	You can now enable TLS 1.3 decryption in an SSL policy's advanced actions. TLS 1.3 decryption requires the managed device run Snort 3. Other options are available as well; for more information, see TLS 1.3 Decryption Best Practices. New/modified screens: SSL Policy > Advanced Settings
SSL policy advanced settings.	20220609	7.2.0	SSL policy advanced settings New/modified screens: SSL Policy > Advanced Settings
Ability to specify handling of URLs having unknown reputation.	20220609	7.0.3	For details, see About URL Filtering with Category and Reputation.
ClientHello modification for Decrypt - Known key rules.	20220609	7.0.3	For details, see ClientHello Message Handling.
Ability to extract the certificate in TLS 1.3 traffic to enable traffic to match URL and application criteria in access control rules.	20220609		New/modified screens: Policies > Access Control > (edit an access control policy) > Advanced link. For details, see Decryption Policy Advanced Options.
Changes to category and reputation-based URL Filtering.	20220609	7.0.3	For details, see About URL Filtering with Category and Reputation.
TLS crypto acceleration cannot be disabled.	20220609	7.0.3	TLS crypto acceleration is enabled on all supported devices. On a managed device with native interfaces, TLS crypto acceleration cannot be disabled. Support for TLS crypto acceleration on threat defense container instances is limited as discussed in the next row of this table. Removed commands: system support ssl-hw-accel enable system support ssl-hw-accel disable system support ssl-hw-status
Support for TLS crypto acceleration on one threat defense container instance on a Firepower 4100/9300 module/security engine.	20220609	7.0.3	You can now enable TLS crypto acceleration for one threat defense container instance on a module/security engine. TLS crypto acceleration is disabled for other container instances, but enabled for native instances. New/modified commands: config hwCrypto enable show crypto accelerator status replaces system support ssl-hw-status )
TLS/SSL hardware acceleration is now referred to as TLS crypto acceleration.	20220609	7.0.3	The name change reflects that TLS/SSL encryption and decryption acceleration is supported on more devices. Depending on the device, acceleration might be performed in software or in hardware. New/modified screens: Devices > Device Management > Edit > Device > General > TLS Crypto Acceleration
TLS/SSL hardware acceleration enabled by default.	20220609	7.0.3	TLS/SSL hardware acceleration is enabled by default on all supported devices but can be disabled if desired.
Extended Master Secret extension supported (see RFC 7627).	20220609	7.0.3	The TLS Extended Master Secret extension is supported for SSL policies; specifically, policies with a rule action of Decrypt - Resign or Decrypt - Known Key.
Aggressive TLS 1.3 downgrade.	20220609	7.0.3	Using the system support ssl-client-hello-enabled aggressive_tls13_downgrade {true\|false} CLI command, you can determine the behavior for downgrading TLS 1.3 traffic to TLS 1.2. For details, see the Cisco Secure Firewall Threat Defense Command Reference.
TLS/SSL hardware acceleration introduced.	20220609	7.0.3	Certain managed device models perform TLS/SSL encryption and decryption in hardware, improving performance. By default, the feature is enabled. Affected screen: To view the status of TLS/SSL hardware acceleration, Devices > Device Management > Device, General page.
Category and reputation conditions supported.	20220609	7.0.3	Access control rules or SSL rules with category/reputation conditions.
SafeSearch supported.	20220609	7.0.3	The system displays an HTTP response page for connections decrypted by the SSL policy, then blocked (or interactively blocked) either by access control rules or by the access control policy default action. In these cases, the system encrypts the response page and sends it at the end of the reencrypted SSL stream. SafeSearch filters objectionable content and stops people from searching adult sites.
TLS/SSL policy.	20220609	7.0.3	Feature introduced.