Post

Cisco FTD SSL Decryption

Posted
By Sena Perdiana 2 min read


SSL decryption is the process of intercepting and decrypting web traffic by security appliances in order to inspect the content of the encrypted traffic for security purposes

x



Configuring Internal CA Certificate

First we need to create an Internal CA certificate, this certificate will be used as an issuer for the decrypted trafic.
For some reason, FTD is not able to create a CSR without FMC (Firepower Management Center), so we need to use the help of Certificate Tools to do that


Here fill in the Common Name, Subject Alternative Name, and etc as shown below

x


On Key Usage dropdown, make sure to check Certificate Sign and CRL Sign.
Leave everything empty for Extended Key Usage, and on Basic Constraint select yes for the CA option.

x


Go over to the CA Server, sign the CSR using the template “Subordinate Certificate Authority”

x

A Subordinate Certificate Authority (Sub-CA) is a lower-level entity in a PKI hierarchy, issuing certificates under the authority of a higher-level CA.


Then go to the Firewall Device Manager of FTD, on Objects » Certificate, add Internal CA.
Fill in the Signed Certificate from CA Server and Private key from Certification Tools

x


And the Internal CA is imported and ready to be used

x



Configuring SSL Decryption Policy

On Policies » SSL Decryption, select Enable SSL Decryption.
Use the newly imported Internal CA for the Decrypt Re-Sign Certificate, and add the Root CA as a Trusted CA Certificates.

x


For the rule, add new one named “decrypt-all” matching all traffic from inside zone to outside zone on port HTTP and HTTPS

x


And that’s it. We now have the SSL Decryption enabled with one rule.

x



Testing the SSL Decryption

On the client PC, when accessing any website on the internet we should see the certificates are now issued by our FTD Firewall, meaning the traffic indeed was decrypted and re-encrypted by FTD

x


Clicking the details hows more regarding the PKI Heirarchy, where ftd.helena.gg acts as a Sub-CA of HELENA-CA issuing certificate for twitter.com

x


Back on the Firewall, on Monitoring » Events, we can see all the traffic along with its SSL Certificate status

x


Clicking details shows a granular information regarding the traffic, especially the SSL decryption status

x



Blocking Traffic with Bad SSL

Right now we only have one rule that matches all traffic to the internet, let’s create another one that blocks all traffic with bad SSL certificates.
On Policies » SSL Decryption, add new rule named “block” with order “1”

x


On advanced, select Certificate Status of “Invalid” and Self Signed of “Self-Signing”, save it.

x


Now we have two rules for SSL Decryption

x



Testing the SSL Decryption with Block

Testing it again, now all the traffic with bad SSL will be blocked

x


And on Monitoring » Events, we can also see all the blocked traffic along with the Certificate Status

x


And lastly, we can see the overall stats of the SSL Decryption process on Monitoring » SSL Decryption

x


Security, Cisco Firepower Threat Defense (FTD)
FTD
This post is licensed under CC BY 4.0 by the author.