Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
LABSEC-1010
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 1 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
E-Learning Objective
On completion of this lab, you will be able to:
Ø Fundamentals of SSL Inspection
Ø Understanding of Firepower Management Center (FMC) and Firepower Sensors
Ø Implementation of SSL/ Access Control Policy
Ø Log analysis and general troubleshooting
Prerequisites
Disclaimer
This training document is to familiarize with Firepower SSL inspection Technology. Although the lab design and
configuration examples could be used as a reference, it’s not a real design, thus not all recommended features are
used, or enabled optimally. For the design related questions please contact your representative at Cisco, or a Cisco
partner.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 2 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 3 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 4 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
Due to time constraint to complete the task with-in the limited time period, we are going to configure
the Decrypt-Resign method only to perform the decryption for public websites and We will disucss the
additional steps involved to configure the Known-key method.
Decrypt-Resign method is used to decrypt the traffic for public websites. Firepower Threat Defense (FTD) acts as
Man-in-the-Middle (MITM) during SSL handshake. When Web server sends certfificate, then FTD resign the server
certificate using the Internal CA Certificate and attach it’s own public key in the server certificate and then, it sends
the server certificate to the end client. Client brower may give the invalid certificate error if Internal CA certificate is
not added to the client browser CA list. Now FTD appliance will be interpret/ inspect the futher communication
between client and server.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 5 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
Steps to configure the Decrypt-Resign Method
Step 1: Verify Firepower sensor Registration/ License/ Deployment mode
Login to Firepower Management Center (FMC), using URL (https://<fmc’s IP>) with username – admin and password
– ciscolive. [ User FMC’s IP as per POD number described in page number 5]
àNavigate to Devices > Device Management, you should able to see an entry for firepower threat defense which
has model number “Cisco FirePOWER Threat Defense for VMware” being registered to the FMC
àVerify the Access Control which is currently being applied to the sensor.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 6 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
Provide a name and select a Default Action as Do Not Decrypt. The SSL policy editor page appears. The SSL policy
editor page works the same as the Access Control Policy editor page.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 7 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
Task Rule: On the SSL policy editor page, click Add Rule. In the Add Rule window, provide a name for the rule, and fill
in all other relevant information.
Name: specify a rule name
Action: Decrypt-Resign
Ø The sensor acts as a Man in the Middle (MitM) and accepts the connection with the user, then establishes a
new connection to the server. For example: User types in https://www.cisco.com in a browser. The traffic
reaches the sensor, the sensor then negotiates with the user using the selected CA certificate and SSL tunnel
A is built. At the same time the sensor connects to https://www.cisco.com and creates SSL tunnel B.
Ø This action requires an Internal CA. Select Replace Key if you wish the key to be replaced. The user will
receive the certificate you select.
Ø DN: You can create DN for cisco by navigating to Objects > Object Management > Distinguish Name OR you
can put a manual entry as CN=www.cisco.com
Ø Enable Logging:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 8 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
Decrypt - Known Key’s description (Which is not covered in this LAB due to time constraint)
• The sensor has the key that will be used to decrypt the traffic. For example: User types in
https://www.facebook.com in a browser. The traffic reaches the sensor, the sensor decrypts the traffic, then
inspects the traffic.
• End result: User see facebook's certificate
• This action requires an Internal Certificate. This is added in Objects > PKI > Internal Certs.
Note: Your organization must be the owner of the domain and certificate. For the example of facebook.com the only
possible way to have the end user see facebook's certificate would be if you actually own the domain facebook.com
(i.e. your company is Facebook, Inc) and have ownership of the facebook.com certificate signed by a public CA. You
can only decrypt with known keys for sites that your organization owns.
The main purpose of decrypt known key is to decrypt traffic heading to your https server to protect your servers
from external attacks. For inspecting client side traffic to external https sites you will be using decrypt resign as you
do not own the server and you are interested in inspecting the client traffic in your network connecting to external
encrypted sites.
à Make sure logging is enabled.
à Save the policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 9 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
à Select SSL policy and click OK.
à Save Access Control Policy:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 10 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
Step 5: Depoly the configuration change to FTD appliance
à Click on Deploy button placed at top
Click the green check mark ( ) beside to Deploy button and click the Tasks tab to ensure deployment task
completes successfully.
Additional Configurations
The following changes should be made on the intrusion policies for proper identification:
àYour $HTTP_PORTS variable should include port 443 and any other ports with https traffic that will be decrypted
by your policy (Objects > Object Management > Variable Set > Edit the variable set).
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 11 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
For Task: In the Management Center go to Analysis > Connections > Events.
Depending upon your workflow you may or may not see SSL decrypt option. Click Table View of Connection Events.
Verify that SSL status is Decrypt(Resign) for traffic going to cisco.com. Also verify that cisco.com has the certificate as
InternalCA which we set as Decrypt-Resign.
In the Management Center go to Analysis > Connections > Events (How events are seen when we use
Decrypt(Known Key).
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 12 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
General Troubleshooting:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 13 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
The list of trusted CAs in a browser is completely dependant on the brower's implementation and each browser can
populate it's trusted list differently than other browsers. In general there are 2 ways that current browsers populate
a list of trusted CAs:
1. They use the list of trusted CAs that the operating system trusts
2. They ship a list of trusted CAs with the software and it is built into the browser.
For the most common browsers the trusted CAs are populated as follows:
• Google Chrome: Operating system's trusted CA list
• Firefox: Maintains it's own trusted CA list
• Internet Explorer: Operating system's trusted CA list
• Safari: Operating system's trusted CA list
It is important to know the difference because the behavior seen on the client will vary depending on this. For
example, in order to add a trusted CA for Chrome and IE you have to import the CA certificate to the OS's trusted CA
store. If you import the CA certificate to the OS's trusted CA store you will no longer get a warning when connecting
to sites with a certificate signed by this CA. On the Firefox browser, you must manually import the CA certificate into
the trusted CA store in the browser itself. After doing this, you will no longer get a security warning when
connecting to sites verified by that CA.
You can search CiscoLive Las Vegas content catalog with Firepower keyword, we have many sessions on Firepower
Technology.
https://www.ciscolive.com/us/learn/sessions/session-catalog/?search=firepower&showEnrolled=false
Summary
This Lab Guide is designed to familiarize you SSL inspection using Firepowere Technology. This test also allows you
to get familiar type of SSL decryption and navigating through various option of SSL policy, AC policy, policy
deployment, log analysis. This session helped you in understanding SSL decryption and inspection on Cisco firepower
devices which in turn help customer to increase security on encrypted traffic flowing through their network.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 14 of 15
LABSEC-1010 Configuration of SSL Inspection/decryption on Cisco Firepower
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Live Berlin Page 15 of 15