Procedure

Before you begin

If you have not already, review Configuring SSL Decryption Policies, Enable the SSL Decryption Policy, and Configure the Default SSL Decryption Action to configure the SSL decryption policy your rules will be added to.

If you are creating a decrypt known-key rule, ensure that you upload the certificate and key for the destination server (as an internal certificate) and also edit the SSL decryption policy settings to use the certificate. Known-key rules typically specify the destination server in the destination network criteria of the rule. For more information, see Configure Certificates for Known Key and Re-Sign Decryption.

Procedure


Step 1

In the navigation pane, click Inventory.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the FTD tab and select the device for which you want to enable the SSL Decryption policy.

Step 4

Click Policy in the Management pane at the right.

Step 5

Click SSL Decryption in the policy bar.

Step 6

Do any of the following:

  • To create a new rule, click the blue plus button.

  • To edit an existing rule, click the edit icon for the rule.

  • To delete a rule you no longer need, click the remove icon for the rule.

Step 7

In Order, select where you want to insert the rule in the numbered list of rules.

You can insert rules into the SSL Native Rules section only. The Identity Policy Active Authentication Rules are automatically generated from your identity policy and are read-only.

Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic.

The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option.

Step 8

In Name, enter a name for the rule.

The name cannot contain spaces. You can use alphanumeric characters and these special characters: + . _ -

Step 9

Select the action to apply to matching traffic. For a detailed discussion of each option, see the following:

Step 10

Define the traffic matching criteria using any combination of the following tabs:

  • Source/Destination—The security zones (interfaces) through which the traffic passes, the IP addresses or the country or continent (geographical location) for the IP address, or the TCP ports used in the traffic. The default is any zone, address, geographical location, and TCP port. See Source/Destination Criteria for SSL Decryption Rules.

  • URL—The URL category of a web request. The default is that the URL category and reputation are not considered for matching purposes. See URL Criteria for SSL Decryption Rules.

  • Application—The application, or a filter that defines applications by type, category, tag, risk, or business relevance. The default is any encrypted application. See Application Criteria for SSL Decryption Rules .

  • Users—The user or user group. Your identity policies determine whether user and group information is available for traffic matching. You must configure identity policies to use this criteria. See User Criteria for SSL Decryption Rules.

  • Advanced—The characteristics derived from the certificates used in the connection, such as SSL/TLS version and certificate status. See Advanced Criteria for SSL Decryption Rules.

To modify a condition, you click the blue plus button within that condition, select the desired object or element, and click Select in the popup dialog box. If the criterion requires an object, you can click Create New Object if the object you require does not exist. Click the x for an object or element to remove it from the policy.

When adding conditions to SSL decryption rules, consider the following tips:

  • You can configure multiple conditions per rule. Traffic must match all the conditions in the rule for the rule to apply to traffic. For example, you can use a single rule to decrypt traffic based on URL category.

  • For each condition in a rule, you can add up to 50 criteria. Traffic that matches any of a condition's criteria satisfies the condition. For example, you can use a single rule to apply application control for up to 50 applications or application filters. Thus, there is an OR relationship among the items in a single condition, but an AND relationship between condition types (for example, between source/destination and application).

  • Matching URL category requires the URL license.

Step 11

(Optional.) Configure logging for the rule.

You must enable logging for traffic that matches the rule to be included in dashboard data or Event Viewer. Select from these options:

  • No logging—Do not generate any events.

  • Send Connection Events To—If you want to send a copy of the events to an external syslog server, select the server object that defines the syslog server. If the required object does not already exist, click Create and create it. (To disable logging to a syslog server, select Any from the server list.)

  • At End of Connection—Generate an event at the conclusion of the connection. Because event storage on the device is limited, sending events to an external syslog server can provide more long term storage and enhance your event analysis.

If you have a subscription to Cisco Security Analytics and Logging, specify or create a syslog server object using a Secure Event Connector's IP address and port. See Cisco Security Analytics and Logging for more information.

Step 12

Click Save.

Step 13

(Optional) For any rule that you created, you can select it and add a comment about it in the Add Comments field. To learn more about rule comments see, Adding Comments to Rules in FTD Policies and Rulesets.

Step 14

Review and deploy now the changes you made, or wait and deploy multiple changes at once.