Thanks for the feedback Celeb Beaver

Thanks for attending and appreciate the comments. Cheers Yazeed

Thanks Vaibhav, I will create a couple using FMC shortly. In the meantime I do have some on the endpoint side - Check out the following playlist - kzbin.info/aero/PLyf18hdY22ERMGwsca4ZpHYWBC_7zQkZ9

Thanks for the feedback Felix

Thanks Sergei!

Thanks Vikas!

Thanks for the feedback Ameer!

Thanks for the comment Technical Ustad!

Hi Karl, can you expand on this? If you are saying that Chrome is switching to QUIC you can block it on Firepower and force it to drop down to TLS. You can look into GPO to invoke your will on the windows asset.

Thanks for the comments as well :)

Correct. Additional Details www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/decryption_tuning_using_ssl_rules.html#ID-2255-00000582 Trusting External Certificate Authorities www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/decryption_tuning_using_ssl_rules.html#ID-2255-00000623 External Certificate Objects www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/reusable_objects.html#ID-2243-00000d4a

Thanks Marcela! Check out the following in regards to supported and unsupported features (latest version) www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/getting_started_with_ssl_rules.html?bookSearch=true#id_103862 TLS/SSL Rule Unsupported Features: RC4 cipher suite is unsupported - The Rivest Cipher 4 (also referred to as RC4 or ARC4) cipher suite is known to have vulnerabilities and is considered insecure. SSL policies identify the RC4 cipher suite as unsupported; you should configure the Unsupported Cipher Suite action in the policy's Undecryptable Actions tab page to match your organization’s requirements. For more information, see Default Handling Options for Undecryptable Traffic. -Passive and inline tap mode interfaces not supported

Hi Justin, not a use case I see often especially when decrypting guest traffic - alot of privacy elements to consider when doing so. You are correct, there are challenges around cert warnings when you do not have the cert signed by a trusted CA. You may consider when onboarding the device to push the cert into the trusted store - perhaps MDM or things like ByoD and ISE. I would have to peal the onion back on this a little more but hope this gives you things to consider.

@@jasonmaynard8773 That does give me some things to consider. So far I have only set this up for Social Networking sites and it is being applied only to a Security Group with the majority of the domain users in it. Seems to be working but they are getting cert errors in Chrome and Firefox, IE works fine. I created a GPO to add the CA to the PC's and even added it to Firefox on one PC but it still gets the errors. Not sure I really like this very much so far. My other question is don't we basically need to decrypt everything for inspection because they may just connect to a random https site and get malware, if it isn't being inspected. How would you setup that policy?

You should not get cert warnings if you followed the setup in the video the first bit talks about the creation of the certificates using MS enterprise CA - I am using Chrome in the example. Look at the example on the client at 16:25 - you can see that no warning as the certificate is trusted. If you continue to have issues I would open a TAC case. In regards to what to decrypt - that depends on the security and HR policy. HR may state that health and finance cannot be decrypted. Also, you may block sites that are bad earlier on in the connection such as through security intelligence or web reputation. Again, it comes down to your security policy and acceptable risk. Hope this helps.

@@justinmanship5431 Check the Hashing algorithm of your root CA.. If it's SHA1, Chrome/Firefox will have issues. You'll need to migrate to SHA256 OR rebuild with SHA256. Once that's done, you need to regen all certificates to get them also to SHA256 (like the subordinate FMC). I ran into this recently and was what I needed to do. yes IE worked with SHA1.. for now.

Thanks MIke! Please note: @ 1:43 ish I talk about what the environment looks like and it is a default installation with nothing more but confirm what Mike provided just in case your environment is slightly different. Let us know how it goes and thanks again MIke for the support!!

Hi James, that depends on whether you leverage software or hardware based decryption. I would recommend that you reach out to your local Cisco Security CSE for specific details.

Decrypt-Known Key method is used to perform inbound SSL/TLS decryption. The core use case is for inbound SSL/TLS traffic to an internal Web Server or device. This allows Firepower to detects malicious content, threats, malware flowing over this secure channel.