Procedure
Before you begin
If you have not already, review Configuring SSL Decryption Policies, Enable the SSL Decryption Policy, and Configure the Default SSL Decryption Action to configure the SSL decryption policy your rules will be added to.
If you are creating a decrypt known-key rule, ensure that you upload the certificate and key for the destination server (as an internal certificate) and also edit the SSL decryption policy settings to use the certificate. Known-key rules typically specify the destination server in the destination network criteria of the rule. For more information, see Configure Certificates for Known Key and Re-Sign Decryption.
Procedure
Step 1 | In the navigation pane, click Inventory. |
Step 2 | Click the Devices tab to locate the device or the Templates tab to locate the model device. |
Step 3 | Click the FTD tab and select the device for which you want to enable the SSL Decryption policy. |
Step 4 | Click Policy in the Management pane at the right. |
Step 5 | Click SSL Decryption in the policy bar. |
Step 6 | Do any of the following:
|
Step 7 | In Order, select where you want to insert the rule in the numbered list of rules. You can insert rules into the SSL Native Rules section only. The Identity Policy Active Authentication Rules are automatically generated from your identity policy and are read-only. Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic. The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option. |
Step 8 | In Name, enter a name for the rule. The name cannot contain spaces. You can use alphanumeric characters and these special characters: + . _ - |
Step 9 | Select the action to apply to matching traffic. For a detailed discussion of each option, see the following: |
Step 10 | Define the traffic matching criteria using any combination of the following tabs:
To modify a condition, you click the blue plus button within that condition, select the desired object or element, and click Select in the popup dialog box. If the criterion requires an object, you can click Create New Object if the object you require does not exist. Click the x for an object or element to remove it from the policy. When adding conditions to SSL decryption rules, consider the following tips:
|
Step 11 | (Optional.) Configure logging for the rule. You must enable logging for traffic that matches the rule to be included in dashboard data or Event Viewer. Select from these options:
If you have a subscription to Cisco Security Analytics and Logging, specify or create a syslog server object using a Secure Event Connector's IP address and port. See Cisco Security Analytics and Logging for more information. |
Step 12 | Click Save. |
Step 13 | (Optional) For any rule that you created, you can select it and add a comment about it in the Add Comments field. To learn more about rule comments see, Adding Comments to Rules in FTD Policies and Rulesets. |
Step 14 | Review and deploy now the changes you made, or wait and deploy multiple changes at once. |