Author Topic: Firepower SSL (Read 34671 times)

Mikep · « **on:** February 11, 2016, 03:41:46 PM »

Hi there,

I'm trying to setup SSL decryption in my lab using Firepower 6.0 with an ASA 5516-X

I'm using this doc...

You are not allowed to view links. Register or Login

I created a CSR, requested a cert on my windows CA but the next step when I import the signed cert It asked for the private key along with the cert.

Where can I get the private key?

I tried to do what this says...

You are not allowed to view links. Register or Login

But I got an error in Firepower when I tried to save it.

Any idea what I might be missing?

Mikep · « **Reply #1 on:** February 11, 2016, 03:52:35 PM »

scratch that. I got it working another way.

Generate the CSR, Sign it with the CA.

Go back to Firepower and click the pencil on the cert you just create.

Then bottom left click install certificate and upload the signed you downloaded from the CA

MC · « **Reply #2 on:** February 11, 2016, 11:30:02 PM »

Did you get the SSL decryption working already? Where did you generate the CSR from? Did you upload the cert under PKI > CA Cert? What template on MS CA did you use to sign the cert?

Mikep · « **Reply #3 on:** February 12, 2016, 04:39:46 AM »

Hi MC,

So I did the following steps...

Objects-Object Management - PKI - Internal CAs

From there click Generate CA

Fill in the data and then click Generate CSR on the bottom left.

Copy the CSR, then go to your CA and sign the cert.

I'm not sure why but my CA doesn't have options as to what kind of cert it is, like yours does in your videos.

Once you have the signed cert go back to Firepower and click the pencil on the cert you just created

Then Click on Install Cert on the bottom left and browse for your signed cert.

Once this was all done create your SSL policy. I choose to only decrypt some categories using the Decrypt - Resign and choose the Cert you just created.

Assign the SSL policy to your access policy.

Seems to be working for me. However I tested a dropbox policy to allow the site but not to allow upload and download. The download was blocked and the application was Dropbox Download, however the upload still worked and the application shown as just dropbox.

Need to do some more testing.

MC · « **Reply #4 on:** February 17, 2016, 02:45:35 AM »

Thank you for the detail instruction sucanushie.

I know that cert requires signing capability so it usually needs to be issued from a correct template but if it is already working for you then it should be find.
I do sometime see issue with micro app on FP (in your case Dropbox upload/download). If you have found issue and resolution, please kindly share your experience, it would be much appreciated.

maiquel · « **Reply #5 on:** August 04, 2016, 04:09:31 AM »

Hi @sucanushie

But you needed importe the CAROOT at the MS CA ?

MC · « **Reply #6 on:** August 07, 2016, 12:23:21 AM »

You are not allowed to view links. Register or Login

Hi @sucanushie

But you needed importe the CAROOT at the MS CA ?

The FP cert should be signed by your enterprise CA that is trusted by your internal clients so when FP intercept the SSL session, the client would not complain.

maiquel · « **Reply #7 on:** August 12, 2016, 07:48:46 AM »

Hi MC, what the template at MS i use for sign the Certificate ? I use the web or not ?
tks.

maiquel · « **Reply #8 on:** August 12, 2016, 01:11:14 PM »

Hi MC,

I used the Subordinate Certification Authority, and its work work for IE and Chrome. For Firefox, i needed put manual for trust the certificate.

MC · « **Reply #9 on:** August 16, 2016, 11:25:04 PM »

Since the FP cert need to be able to resign the cert web server returns, it is correct to use the Subordinate CA template. Different browsers react to this differently as you have observed especially Firefox that might require your enterprise root CA stored in browser settings in addition to Windows CA store.

Search

User Info

Author Topic: Firepower SSL (Read 34671 times)

Mikep

Firepower SSL

Mikep

Re: Firepower SSL

MC

Re: Firepower SSL

Mikep

Re: Firepower SSL

MC

Re: Firepower SSL

maiquel

Re: Firepower SSL

MC

Re: Firepower SSL

maiquel

Re: Firepower SSL

maiquel

Re: Firepower SSL

MC

Re: Firepower SSL

Related Topics