Skip to main content

Firepower SSL Policy Configuration

Over the years after using firewall of different vendors it is outmost sure that SSL decyrption is mandatory whether it comes to IPS, File level blocking or any other threat prevention techniques to be used. Let me try to write a short blog on how to perform SSL decryption for destination NAT traffic or also know as inbound traffic.

Importing certificate and key
In order for source NAT ( outgoing traffic ) to work we need to either import a certificate or generate a self signed certificate accordingly . In order for destination NAT ( incoming traffic ) to work we need to import the certificate and key that is currently being used by the application itself. This blog is going to be more about destination NAT traffic.
Go to Objects > Object Management > PKI > Internal Certs 

 Add Internal Certs 

Creating SSL Policy
Go to Policies >  SSL Policy and create a new policy
We need to select Decrypt - Known key and also select the certificate and key (DONIDCR-SSL) th
at we have recently imported . The policy needs to be configured as configured on access control policy making used for zone , networks , ports . There are additional option in this policy for server related cipher suits , cert status and version which we can play on as well.



ADDING SSL POLICY TO ACCESS CONTROL POLICY

We will now need this SSL policy to be added on Access control policy 

Go to Policy > Access Control Policy 

We will now need to need to deploy it accordingly and inorder to verify we can check the Events as well.




SSL Status for all the incoming traffic for the web application can now be seen as Decrypt (Known Key) which basically means that SSL decryption is working . 

We also need to know that SSL Policy is always placed before ACP (Access Control Policy ) . SSL Policy is checked before going towards Access Control Policy so we need to configure it carefully otherwise our application might not work accordingly and also must know which traffic to decrypt and which not to. SSL decryption always will place a heavy load on the firewall so we must selectively do it on the application and also checking the load of the firewall.

Labels:

Comments

Post a Comment

Popular posts from this blog

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more

High Availability Palo Alto (Active/Standby)

 High Availability is usually performed in most of the data centers networks today which ensures application availability . High Availability is usually achieved in case one of the appliance goes down or have some physical or logical connectivity issues.  Achieving high availability in Palo Alto firewall is relatively very easy. Palo Alto firewall can work in both Active/Standby mode or in Active/Active. We will basically be talking about Active/Standby mode in this article. There are basically two links that needs to be configure in Palo Alto for HA. 1. Control Links Control Links are associated with control plane traffic which is mainly used for heartbeat exchanged, configuration synchronization. Dedicate HA ports are available in higher series of Palo Alto or even a HA interface can be created for some inband ports.   2. Data Links Data Links are mainly used for session synchronization, forwarding table synchronization. Dedicated HSCI Ports are available for highe...
Post a Comment
Read more

Virtual Chassis Juniper EX 3400 (PREPROVISONED)

Juniper has always been an technology that I have always liked right from the beginning of my career when I was working as an Jr Network Administrator. The logical command as well as the hierarchy based Juniper devices has always made me love the device. Let me today talk about a very useful and an interesting topic which we usually called stack in the world of Cisco and virtual chassis in the world of Juniper, both of them mean the same thing logically make two or more than two switch as a one and configure and manage the device as a single unity. High Availability, managed configuration and maintenance are few of the benefits that a virtual chassis can provide. The configuration for virtual chassis can be found easily in the juniper sites but my objective about writing this is making it more simpler in context to Juniper's document. There are basically two ways of configuring virtual chassis in Juniper. 1.   Nonprovisioned configuration  :  The master switch assig...
Post a Comment
Read more