collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: Firepower SSL  (Read 36102 times)

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Firepower SSL
« on: February 11, 2016, 03:41:46 PM »
Hi there,

I'm trying to setup SSL decryption in my lab using Firepower 6.0 with an ASA 5516-X

I'm using this doc...

You are not allowed to view links. Register or Login

I created a CSR, requested a cert on my windows CA but the next step when I import the signed cert It asked for the private key along with the cert.

Where can I get the private key?

I tried to do what this says...

You are not allowed to view links. Register or Login

But I got an error in Firepower when I tried to save it.

Any idea what I might be missing?

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: Firepower SSL
« Reply #1 on: February 11, 2016, 03:52:35 PM »
scratch that.  I got it working another way.

Generate the CSR, Sign it with the CA.

Go back to Firepower and click the pencil on the cert you just create. 

Then bottom left click install certificate and upload the signed you downloaded from the CA

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Firepower SSL
« Reply #2 on: February 11, 2016, 11:30:02 PM »
Did you get the SSL decryption working already? Where did you generate the CSR from? Did you upload the cert under PKI > CA Cert? What template on MS CA did you use to sign the cert?

Offline Mikep

  • Cisco Newbie
  • *
  • Posts: 21
  • Reputation: 5
  • Certification: CCNP
Re: Firepower SSL
« Reply #3 on: February 12, 2016, 04:39:46 AM »
Hi MC,

So I did the following steps...

Objects-Object Management - PKI - Internal CAs

From there click Generate CA



Fill in the data and then click Generate CSR on the bottom left.



Copy the CSR, then go to your CA and sign the cert.

I'm not sure why but my CA doesn't have options as to what kind of cert it is, like yours does in your videos.

Once you have the signed cert go back to Firepower and click the pencil on the cert you just created



Then Click on Install Cert on the bottom left and browse for your signed cert.



Once this was all done create your SSL policy.  I choose to only decrypt some categories  using the Decrypt - Resign and choose the Cert you just created.

Assign the SSL policy to your access policy.

Seems to be working for me. However I tested a dropbox policy to allow the site but not to allow upload and download.  The download was blocked and the application was Dropbox Download, however the upload still worked and the application shown as just dropbox.

Need to do some more testing.
« Last Edit: February 12, 2016, 04:55:52 AM by sucanushie »

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Firepower SSL
« Reply #4 on: February 17, 2016, 02:45:35 AM »
Thank you for the detail instruction sucanushie.  :) I know that cert requires signing capability so it usually needs to be issued from a correct template but if it is already working for you then it should be find.
I do sometime see issue with micro app on FP (in your case Dropbox upload/download). If you have found issue and resolution, please kindly share your experience, it would be much appreciated.

Offline maiquel

  • Cisco Newbie
  • *
  • Posts: 6
  • Reputation: 0
  • Certification: CCNP
Re: Firepower SSL
« Reply #5 on: August 04, 2016, 04:09:31 AM »
Hi @sucanushie

But you needed importe the CAROOT at the MS CA ?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Firepower SSL
« Reply #6 on: August 07, 2016, 12:23:21 AM »
You are not allowed to view links. Register or Login
Hi @sucanushie

But you needed importe the CAROOT at the MS CA ?
The FP cert should be signed by your enterprise CA that is trusted by your internal clients so when FP intercept the SSL session, the client would not complain.

Offline maiquel

  • Cisco Newbie
  • *
  • Posts: 6
  • Reputation: 0
  • Certification: CCNP
Re: Firepower SSL
« Reply #7 on: August 12, 2016, 07:48:46 AM »
Hi MC, what the template at MS i use for sign the Certificate ? I use the web or not ?
tks.

Offline maiquel

  • Cisco Newbie
  • *
  • Posts: 6
  • Reputation: 0
  • Certification: CCNP
Re: Firepower SSL
« Reply #8 on: August 12, 2016, 01:11:14 PM »
Hi MC,

I used the Subordinate Certification Authority, and its work work for IE and Chrome. For Firefox, i needed put manual for trust the certificate.


Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Firepower SSL
« Reply #9 on: August 16, 2016, 11:25:04 PM »
Since the FP cert need to be able to resign the cert web server returns, it is correct to use the Subordinate CA template. Different browsers react to this differently as you have observed especially Firefox that might require your enterprise root CA stored in browser settings in addition to Windows CA store.

 

Related Topics

  Subject / Started by Replies Last post
1 Replies
28703 Views
Last post May 15, 2015, 05:55:19 AM
by MC
2 Replies
26314 Views
Last post June 21, 2015, 11:29:09 AM
by misthe
6 Replies
28437 Views
Last post July 20, 2015, 07:48:48 AM
by amsa
1 Replies
25081 Views
Last post August 29, 2015, 05:19:33 PM
by MC
1 Replies
36701 Views
Last post November 06, 2015, 04:57:48 PM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal