Procedure

Before you begin

The SSL decryption rules table contains two sections:

  • Identity Policy Active Authentication Rules—If you enable the identity policy and create rules that use active authentication, the system automatically creates the SSL decryption rules needed to make those policies work. These rules are always evaluated before the SSL decryption rules you create yourself. You can alter these rules only indirectly, by making changes to the identity policy.

  • SSL Native Rules—These are rules that you have configured. You can add rules to this section only.

Procedure

Step 1

In the navigation pane, click Inventory.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the FTD tab and select the device you want to create the SSL policy.

Step 4

Click Policy in the Management pane at the right.

Step 5

Click SSL Decryption in the policy bar.

Step 6

If you have not yet enabled the policy, click Enable SSL Decryption and configure policy settings, as described in Enable the SSL Decryption Policy.

Step 7

Configure the default action for the policy. The safest choice is Do Not Decrypt. For more information, see Configure the Default SSL Decryption Action section of the Security Policies chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running.

Step 8

Manage the SSL decryption policy.

After you configure SSL decryption settings, this page lists all rules in order. Rules are matched against traffic from top to bottom with the first match determining the action to apply. You can do the following from this page:

  • To disable the policy, click the SSL Decryption Policy toggle. You can re-enable it by clicking Enable SSL Decryption.

  • To edit policy settings, including the list of certificates used in the policy, click the configuration button on the SSL toolbar: . You can also download the certificate used with decrypt re-sign rules so that you can distribute it to clients. See the following sections of the Security Policies chapter in the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager of the version your device is running:

    • Configure Certificates for Known Key and Re-Sign Decryption

    • Downloading the CA Certificate for Decrypt Re-Sign Rules

  • To configure rules:

    • To create a new rule and log events it generates, click the blue plus button . See Configure SSL Decryption Rules.

    • To edit an existing rule, click the rule in the rule table and click Edit in the Actions pane. You can also selectively edit a rule property by clicking on the property in the table.

    • To delete a rule you no longer need, click the rule in the rule table and click Remove in the Actions pane.

    • To move a rule, hover over it in the rule table. At the end of the row use the up and down arrows to move its position with the rule table.

    • (Optional) For any rule that you created, you can select it and add a comment about it in the Add Comments field. To learn more about rule comments see, Adding Comments to Rules in FTD Policies and Rulesets.

Step 9

Continue to Enable the SSL Decryption Policy.