SSL Decryption with Cisco Firepower Management Center
Cisco Firepower Management Center v6.2
SSL Decryption Policy
This walk-through assumes you have an internal CA server in your production environment (e.g. Microsoft).
1. Login to Firepower Management Center (FPMC), go to Objects->Object Management->PKI->Internal CA's and click "Generate CA"
2. Fill out each field according to your FPMC setup and click on "Generate CSR"
3. Copy the encrypted information from the certificate signing request, this can also be referred to as a base64 or .pem request. Now open a browser and access your internal certificate server and request a certificate.
4. Click on "Request a certificate", then click on "advanced certificate request"
5. Paste the content of the clipboard to the text box, Certificate Template should be selected as "Subordinate Certificate Authority" and click Submit.
6. Select Base64 encoded and click Download Certificate, save the signed certificate to a location easily accessible (e.g. Desktop). Open the cert with a text editor, copy all of the contents to the clipboard. We then go back into FPMC, edit our CSR, click Install Certificate, paste the contents of the clipboard and click "Save"
7. The certificate is now signed and installed and FPMC now has the ability to resign certificates.
8. Now it is time to build your SSL Policy, go to Policies->Access Control->SSL. Click "New Policy". The following is an example of a typical SSL Policy wherein companies will refrain from decrypting Financial (e.g. Online Banking), Shopping (e.g. Amazon), and HealthCare Services (e.g. Cigna, BCBS) but then decrypt (resign) all remaining traffic (via the Default Decrypt All Rule).
9. Now, you will apply the SSL Policy by going to Policies->Access Control. Edit your existing access control policy, click on SSL Policy, from the drop down select your SSL Policy, Save and deploy to device/s.
This concludes the setup and creation of SSL Decryption on Firepower Management Center. It is important to note that while SSL Decryption is rather straight forward to implement, once you begin subjecting production traffic to SSL Decryption, you will likely need to make some adjustments, monitor connection events (Analysis->Connections->Events) to help you tune the SSL Policy to your companies needs. If something is being blocked (e.g. Google Services), you may want to add a new rule and add "Search Engines" category not be decrypted etc.
9. Now, you will apply the SSL Policy by going to Policies->Access Control. Edit your existing access control policy, click on SSL Policy, from the drop down select your SSL Policy, Save and deploy to device/s.
This concludes the setup and creation of SSL Decryption on Firepower Management Center. It is important to note that while SSL Decryption is rather straight forward to implement, once you begin subjecting production traffic to SSL Decryption, you will likely need to make some adjustments, monitor connection events (Analysis->Connections->Events) to help you tune the SSL Policy to your companies needs. If something is being blocked (e.g. Google Services), you may want to add a new rule and add "Search Engines" category not be decrypted etc.
Comments
Post a Comment