collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)  (Read 33322 times)

Offline Administrator

  • Administrator
  • Cisco King
  • *****
  • Posts: 61
  • Reputation: 1000
  • Certification: N/A
Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« on: February 11, 2016, 11:19:30 PM »
With firepower 6.0 and Cisco ASA 9.4.2 O.S ..I am experiencing bandwidth degradation.
So, I would like to know if anyone want to upgrade from firepower 5.4 to 6.0 which firewall base IOS version should he take in use ? (Stable IOS )

Offline Administrator

  • Administrator
  • Cisco King
  • *****
  • Posts: 61
  • Reputation: 1000
  • Certification: N/A
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #1 on: February 11, 2016, 11:24:00 PM »
How much degradation are you experiencing? A rule of thumb is you can only expect a third of the platform or regular throughput with IPS, Malware, URL turned on, probably even less (like 20%) with SSL decryption.
In terms of stability, the latest 9.4 and 9.5 should be fine although you may still want to review outstanding bugs for each release.

Offline milin1607

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #2 on: March 09, 2016, 01:48:38 AM »
Degradation in meaning, when enabling SSL inspection then at that time also allowed websites are not opening with a minimum 10 to 15s delay or more. Means User are experiencing browsing slowness.

Is there any known bug or something for SSL inspection ?


Thanks,
Milin

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #3 on: March 09, 2016, 10:53:22 AM »
Which model ASA are you running?

How many users? How much bandwidth?

Offline milin1607

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #4 on: March 09, 2016, 09:32:00 PM »
It is ASA-5516-X with Firepower Services.

Around 200 Users, 50Mbps ILL Line.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #5 on: March 09, 2016, 11:18:32 PM »
10-15 sec delay to load a page is certainly not normal. Are you decrypting all SSL, or only selective categories?

Offline milin1607

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #6 on: March 10, 2016, 01:37:31 AM »
Few websites are not opening at all, too.

Created 2 SSL policies only to decrypt few selected traffic for few categories only.

Internet Browsing experience is worst after redirecting traffic through firepower module.


Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #7 on: March 10, 2016, 07:59:48 AM »
Some site just won't work when using SSL decryption.

We use the WSA for all of our SSL decryption so I can't speak to the firepower module.  I have only used it for SSL in the lab with a 5516.

On the WSA we have a custom category created for sites to exclude from decryption if they are problematic. 

I suggest doing the same thing on the firepower.

Create a Distinguished name object group called Do not decrypt or whatever you like.

Add the URL's that you want

Then add a new rule to your SSL policy with the action do not decrypt and select the DN group you created


Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #8 on: March 10, 2016, 10:23:09 PM »
It is true that sometime you get different experience with certain sites and different web browsers when doing SSL decryption. Dump question, have you give the FP module a reload?

Offline milin1607

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #9 on: March 10, 2016, 11:39:24 PM »
Hi Sucanushie/MC,

Thanks for your response.

But, If few SSL sites will not work with FP module then what's the meaning of using it ?
If I want to use WSA then why you should I purchase FP URL-Filtering License?

In production I am getting worst experience using URL Filtering with Firepower module.

May be I have reloaded FP module, but what is wrong with that ?

Because, Cisco has compulsory done that if your old contracts of CX module is getting expired then you must upgrade with firepower, but that is not at all stable yet.

Anyone suggest, when it will be stable as other firewalls ? (i.e PA)

Thanks,
Milin


Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #10 on: March 13, 2016, 10:30:14 PM »
I don't think that website not loading is specific to FP, but SSL decryption and sometime browser type. May be others who have used other SSL decryption product can chime in.

If you already use WSA for URL filtering, there is almost no reason to enable URL filtering on FP. In which case, you use FP for IPS, may be Malware protection.

Reloading FP module is just a troubleshooting step. Obviously you shouldn't keep reloading it to fix problem.


Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #11 on: March 14, 2016, 06:42:52 AM »
Agreed with what MC says.

The WSA does web filtering and SSL decryption better than the ASA with Firepower. At this time anyway.

We use the Firepower for Layer 7 rules, IPS and the AMP but not for URL filtering.

Offline milin1607

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 2
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #12 on: March 22, 2016, 03:08:58 AM »
I know that WSA is better the FP module's URL Filtering.

My said was Url Filtering is not working as expected that's the reason we are running WSA with demo licenses.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Cisco ASA Sourcefire SSL URL filtering (on behalf of Milin)
« Reply #13 on: March 23, 2016, 05:10:06 PM »
BTW, milin1607, have you engaged Cisco Engineer on this issue. If so, what did they say?

 

Related Topics

  Subject / Started by Replies Last post
3 Replies
46289 Views
Last post August 09, 2014, 05:33:45 PM
by MC
3 Replies
14259 Views
Last post September 29, 2015, 11:13:35 PM
by MC
1 Replies
39441 Views
Last post October 21, 2015, 05:39:55 PM
by Administrator
1 Replies
11603 Views
Last post April 05, 2016, 10:09:48 PM
by Administrator
1 Replies
20084 Views
Last post December 19, 2017, 09:07:12 PM
by Administrator

SimplePortal 2.3.7 © 2008-2024, SimplePortal