TLS 1.3 decryption best practices
Recommendation: When to enable advanced options
Both the rule-based decryption policy and the access control policy have advanced options that affect how traffic is handled, whether the traffic is being decrypted or not.
The advanced options are:
-
Decryption policy:
-
TLS 1.3 decryption
-
TLS adaptive server identity probe
-
-
Access control policy: TLS 1.3 Server Identity Discovery
The access control policy setting takes precedence over the decryption policy setting.
Use the following table to decide which option to enable:
|
TLS adaptive server identity probe setting (decryption policy) |
TLS 1.3 Server Identity Discovery setting (access control policy) |
Result |
Recommended when |
|---|---|---|---|
|
Enabled |
Disabled |
Adaptive probe sent if decryption policy contains any rule conditions specified in Rule-based decryption policy advanced options and if the server certificate is not cached. |
|
|
Enabled |
Enabled |
Probe is always sent if the server certificate is not cached. |
Use only if your access control rules have URL or application conditions |
|
Disabled |
Enabled |
Probe is always sent if the server certificate is not cached. |
Not recommended. |
|
Disabled |
Disabled |
Probe is never sent. |
Very limited usefulness; use only if not decrypting traffic and not using application or URL conditions in the access control rule |
Note | A cached TLS server's certificate is available to all Snort instances on a particular Firewall Threat Defense. The cache can be cleared with a CLI command and is automatically cleared when the device is rebooted. |
Reference
For more information, see the discussion of TLS server identity discovery on secure.cisco.com.