If you are going to allow a specific piece of a Web Application or category (, such as allowing google drive, but not gmail, or allowing facebook logins, but not all of facebook ) would you inspect the specific traffic (category or application) and resign it in the SSL policy and then allow it via your ACL? Thanks, loved the video!
David, thank you for your comment. In your SSL Policy, there is a default action. If that is set to Do not decrypt, then you would have to create a rule in your SSL Policy that identifies the apps you wish to block. In the Applications column/selection, apps requiring decryption to be identified are displayed with a gold lock so they are easily identified. Hopefully this helps and stay tuned for this Friday the 20th where we have the next Friday Firepower Hour covering how to integrate Firepower with Cisco Threat Response. Paul
Great presentation. What do we do in instances where you are hosting an external-facing website using a publicly signed SSL certificate (Entrust, Verisign, etc) on the load balancer or server? Can we decrypt that traffic? Or do SSL policies only work for internal PKI certs where the FMC can be a subordinate CA for? Thanks!
Very informative, is the certificate generation and installation process different for public SSL certs? I see some guides using OpenSSL and not the FMC etc. or is the process the same so for instance when deploying SSL certs to be used in RA VPN? thank you
Hi Bismark, thank you for comment. You would not/could not use a public SSL cert for this. Your Firewall is acting as an intermediate CA. Not a single Public CA, like Entrust, Versign, etc. would allow you to be an intermediate CA for them, thus using your own CA. Hopefully this makes sense. Paul
very nice walk-through by Cisco experts. very relevant content with the large percentage of malware encrypting their traffic to avoid detection
Thank you David!
If you are going to allow a specific piece of a Web Application or category (, such as allowing google drive, but not gmail, or allowing facebook logins, but not all of facebook ) would you inspect the specific traffic (category or application) and resign it in the SSL policy and then allow it via your ACL? Thanks, loved the video!
David, thank you for your comment.
In your SSL Policy, there is a default action. If that is set to Do not decrypt, then you would have to create a rule in your SSL Policy that identifies the apps you wish to block.
In the Applications column/selection, apps requiring decryption to be identified are displayed with a gold lock so they are easily identified.
Hopefully this helps and stay tuned for this Friday the 20th where we have the next Friday Firepower Hour covering how to integrate Firepower with Cisco Threat Response.
Paul
Great presentation. What do we do in instances where you are hosting an external-facing website using a publicly signed SSL certificate (Entrust, Verisign, etc) on the load balancer or server? Can we decrypt that traffic? Or do SSL policies only work for internal PKI certs where the FMC can be a subordinate CA for? Thanks!
Very informative, is the certificate generation and installation process different for public SSL certs? I see some guides using OpenSSL and not the FMC etc. or is the process the same so for instance when deploying SSL certs to be used in RA VPN? thank you
Hi Bismark, thank you for comment. You would not/could not use a public SSL cert for this. Your Firewall is acting as an intermediate CA. Not a single Public CA, like Entrust, Versign, etc. would allow you to be an intermediate CA for them, thus using your own CA. Hopefully this makes sense.
Paul