Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD) Part 10

47. Lecture-47:Configure and Verify SSL Decryption Policy FTD Lab.

So in this part we gonna do SSL policy lab. So we will use the same lab which we are using since last two, three weeks. I have internal three PC, PC three which is window PC one three and gateway is 254. And I have a docker which one one and gateway is 254. And also DNS is eight eight. And these two and I have a call Linux. Right now we are not using one, two. And this is my inside network. Okay. I am also connected my management and inside to the same switch. Zero slash one is inside with 1254 and one one 4254 is outside. Outside I have two server which we’re going to use in next lab. And this is my gateway, 1114 one. So there is a default gateway to give everything here. And this is net cloud to net it everything and providing us the internet access management. We are using 100, 200 is FTD IP and 110 is FMC IP. So I’m logging to 210 and this device is already registered. FTD is already registered. This one is already registered. 200 in routed mode. And these policies are pushed to this one. Okay. And these are the interfaces if you want to see one, one 4254 outside and 254, one is inside. And there is a route already configured which we configure it. Already configure it. Okay, so everything they are giving to 1141 which I told you, this is this one. Okay. They said. And also there is a default net policy to netted internal subnet to outside subnet.

So there is a paid configure this one from inside to outside, just 1921-6810 to interface IP. Outside interface IP. We will discuss net later in the course in detail. That’s it. And we have an excess policy configure by default to allowed everything. This one we have configured to allowed everything they said these are the four five thing which is predefined configure and we know how to configure them. Now our target is to configure SSL policy to decrypt the packet. Because if I block a Facebook here, we checked as well. If I block a Facebook, suppose I want to block Facebook, which we saw either Twitter. So if I say Facebook block. And if I say block here, either block with reset whatever and the traffic is going from inside to outside and we done last time URL. We can create URL here. Suppose I create URL by default there is a Facebook we last time create.

So I say this is select this one when I say block. And we enable logs to see. Okay. And if I add this rule, because in URL filtering we face this issue. And I told you that time that without SSL decryption most of the thing will be bypassed. Maybe they block some of them. I’m not saying because in FTD there is a feature. They are checking the name. You need the certificate name. So if I visit from here to Facebook, okay? It’s not push yet, but I’m just showing you it will be allowed and maybe later on it will be also allowed. Why they block Yahoo even though it is also Https by name and every certificate when you visit so there is a name for that one. So sometimes they get the name from there and they block them. But it will not work for every website. So that’s why if we want to block Facebook and all these things okay, so what we need to do, we need to use SSL decryption, okay, let me go to any other website like yesterday we blocked these one. So this is somewhere attached, I don’t know where is this attach?

I need to check that’s why we are checking anything. So it’s showing us blog like in case of Yahoo yesterday we block them. So let’s see and let’s see twitter we also yesterday blog I need a website which is allowed. So MSN, we also block I believe yesterday we blocked them yesterday we’re using security intelligent rule. I believe I need to remove security intelligent as well to test everything properly. So what I can do, let me go to access control policy, okay? And let me go to access control policy and from here security intelligent let me delete all these let me delete one by one. There is a way to delete them. This is global one, that’s why it’s not okay, this is the global one and that’s it. And URL so URL we delete, okay? And save and let me go back I believe let’s see now facebook we need to push them but I just want to check okay, so the previous one is still running so you know, it will not block. Maybe some of them will block because of Https traffic. So what we need to block such traffic so we need SSL policy. How we can create SSL policy? Here is SSL policy, but this SSL policy requires certificate first. So in first part we will create certificate, local certificate. How we can do you need to go to object and object management. That’s the first thing which require for SSL decryption and here there will be PKI. Here is also we discuss in CCNP PKI, okay? So in PKI we need to go to internal CA certificate authority internally. So this is internal CA and here we can import we can buy from DG cert and from God and we can buy that certificate, we can use that one and then you can import it will ask you the key and the certificate and you can import them. Second method, we can generate our own which we normally do in real world rather than to buy experience, we just generate and push them through active directory to all your internal users. So it’s an internal certificate authority. So let’s create generate CA just give them a name. Suppose what is called firepower certificate. There will be no space.

So it will give us. You can give any name and country is SA because it’s in two letter. So I say SA and state. I can write in more detail. City is riyadh. Okay. Organization is BT. An organization unit is supposed it and common name firepower certificate. Test this requirement certificate like a normal certificate. You print your name, your country or detail. So I put these details. Now, there are another method, two more method to create local certificate. One is generate this one. You need to generate a code and you need to copy that code. And if you have a certificate authority server, which we create from what is called Server 2008, server 2012 1916, you need to install certificate authority there. And then you can generate certificate from there. Normally authorization they have a certificate local certificate authority so for that you need to click this one. But we have another solution as well generate self signed CA directly here rather than to click this one. So I will say generate self sign certificate so this was the first tip which is required for SSL decryption because this certificate will be used between main and the middle you know, we discuss SSL. This is the thing which they will work for us. So now it’s created what you need to know you double click either click on this one to edit it it will open now it’s created so showing us test BT it and all those details valid till 2021 up to ten year this is 200:31 so for ten it is valid. You need to recreate again and just the serial number and just the public key and everything now click on download it will ask you a password put any password suppose I say 123123 okay so password manage and okay so certificate is ready and it will be download to your system. They said this part is done. So our certificate we will do some other stuff later on when you do such a way. But at least it’s done, this part. Next thing I can create SSL policy now because this was required. So let’s go to policy. And here is SSL policy. Click on this one.

And there is SSL policy I was showing you. So I create their time, you remember? If it is not, you can create new policy I was showing you actions of their time. I create this policy by default there will be no policy just edit this policy if it is not just create a new one, it will be not there by default. So there is category administrator rule standard. It’s not just category. You can create more categories. Just like an excess control policy we discussed already. So it’s the same structure. You can see what you need to do. Click add role. An add role? Just say I want decrypt. So what you can do the first thing I will choose I already told you about this action. So I just need decrypt. Okay. So I will say decryption rule anything which you just click enable and where you want to put in category standard, rule, administrator and root and default. Whatever is better to win this one. So the action I say decrypt and resign when the client coming. Decrypt the traffic and resign and send it to outside. But which certificate to use? We just created this why it was required. You know this one firepower certificate. I gave them this name and then from where the traffic will go. So I say from inside to outside with the traffic going, what will be the network? You can mention your network and you can put any as well. So our inside subnet is this one, not this one. Our inside subnet is one. So if one is not there, there is by default as well this one. So this one also mesh to our 1192 1680. So you can put source and destination. It can go anywhere. So don’t need to put the destination. Then we don’t have Vlad, we don’t have user. We user next week we will do then application. You can put specific application as well that you want decryption policy for specific application for specific port you can put suppose in this case I say add to destination http and Https.

That’s the most time of the traffic which you want to decrypt. Yeah. So you can put such way as more specific. There is categories. You can put a category like I told you, don’t decrypt like a medical medicine. So if there is a medicine category health and medicine and then there is a financial as well. Finance is well. So create a new rule and say do not decrypt finance and medical in real what we do like this way. But here in Lebi said decrypt everything because we just want to test then just the certificate. You can put the certificate if you have DN. You can create if your specific website is not working which I told you. So you can create here just aid and that website detail and whatever action you want to take just add them to here and this certificate status it will revoke any certificate if it is valid. And these are the action which they can take self sign any it will accept and all those things. So this is the detail cypersuit. These are the CyberSe they accept CyberSec we discuss in CCNP three DS, AES, Des and these are the thing which they accepting. Okay? And version which version. So I just show you version. So TLS version and all those they can support. If you say don’t support this one. So you can say so if any browser is using TLS 1. 2 or one so they will not accept. You can check that one last thing, which is must log event so that we can see in the event viewer. It’s very important so that we can figure out and say aid. So this rule is aid and I said decrypt every traffic and if nothing is matched by default, action is do not decrypt. Okay? And logs is not enabled. So let’s enable logs and do not decrypt as well so we can figure out what is the issue. I think so logs is enabled here I enable logs. Why it’s not showing? So let’s go. Yeah, it’s okay. I thought it’s not showing. It show you like this one. So it’s here. Now maybe it’s hidden here. There is many other line so that’s why so my rule is done. And now save. Okay, so our SSL policy is ready.

So first it’s required certificate, which we done. Then we export the certificate. Then we use the certificate name here in SSL policy. Now every policy has to be integrated to access control policy. So we just need to go back to access control policy edit access control policy. But where the hell is to attach this SSL policy? Because this is prefilter we used last time. And here is SSL policy. You see? SSL policy. So you can click here and the one which we create was SSL policy in OK, done. Either you can go to advance and there should be SSL policy. Click on this one and again it’s showing you the same thing. So it’s up to you to come here. Either you want directly so now it’s integrated to this rule. Okay? SSL policy. So whenever somebody is going from inside to outside so it will decrypt the packet. Okay? And what else? Yeah and save this setting now and deploy. So now everything from firewall side is done. So we need to choose our this one and deploy. So until it’s deployed we need now the client side configuration. But let me go quickly. So internal cav create this the name we give them. We download it’s here. Now we will use then we go to SSL. We create SSL rule and we already know these. Okay we enable events then we create SSL rule to decrypt everything. And the default one we enable logs. Okay. Then we go to access control policy and attach SSL policy there. Now we just deploy everything. Now there’s the client side. Because you need to push this certificate to all client. The one which we download this one.

So let me go to the certificate which we download here is let me copy this one. And we need to go to our internal PC all of them. So let’s go to PC three. So this is PC three. Okay and let me see the connection is there. Yeah. Okay and paste that certificate here. But you may thinking that suppose if you have 500 user or 1000 user so you will copy and paste the certificate and will deploy no, you can use active directory to push this certificate to all system automatically but because in this case you are using label. So in one system ie. That downloaded certificate you remember? Now click on this one and install PFX current user, either machine, whatever next the password which we put it was one, two, three and next if I can increase more this one so that you can see them no okay and we have to put this certificate just to put somewhere. So in personal we will put next and finish this was not installed. Certificate is not installed because this format is different the actual certificate now we will create so I push the certificate to that personal. Now go to that personal place. So MMC open MMC EIS open now so go to MMC because there is no direct certificate opening place file aid remove snap in user certificate aid all user okay and there is a certificate. Now go to personal certificate and their certificate is here. Now this is what I need so open at this certificate firewall certificate which we create of 220 31 is valid. Go to detail. This the detail this the version that’s the detail if we go so our common name is firewall certificate test our organization unit is it organization is BT location is riyadh and source location and country. So the arabs mention everything like any other certificate. Click copy to file next and use this third one and select this one next. And where do I put one? So let me go to desktop and give them certificate my cert whatever the name next and finish now is ready. So certificate now we achieve the certificate here is not this one this one the proper one. Now go to any website because if I go without this certificate it will give me certificate error. Let’s go to any website like I don’t know how many wikipedia google so it has to give me certificate error. By the way it does not give me it has to give us certificate error. Let me see now the policy is push or not yet okay it’s not yet okay sorry. So without certificate it will give error like this one. You see this one because we did not install certificate from this one this evng and also like this one. So right now if I from this internal system try to visit any website that has to give me certificate error right now still they are using google direct certificate google certificate why? Because still we did not push them. So after pushing this SSL policy every client has to connect to firewall certificate and I did not install firewall certificate yet in the browser so what will happen? It will happen like this way it says not secure envelope certificate like this one. So let’s see after pushing this one so we will see and then we will push the certificate so this error will go out and then they will use firepower certificate rather than right now they are using direct certificate up like a google NDG cert and other certificate.

Okay, so let’s watch out for that one and I need some website like a Wikipedia. Cisco. com is better, I can’t remember. So it’s complete now and let’s see if I go to Cisco. com. So let’s see it’s giving me error or not? I believe that it has to give me certificate error. Yes, so it’s coming now even though Cisco is not an unsecure website, say your connection is not private. So if you go to advance and proceed, it will be proceed but without unsecure because now we need a certificate so this issue can go out. So what you can do, go to setting and where to put the certificate. So we need to go to I believe security or something. So let’s check out. Let me search by the certificate. So let’s see, here is manage certificate and whereas this is trusted root certificate authority where all authority are there, but our one is not there. So I say import next browse and here is our certificate make them all file here is my certificate next and next and finish it may give you a warning. Say yes, install this certificate. Okay and okay, so now certificate is there and if I go back and type Cisco so it has to use our certificate FMC certificate and there will be no error. By the way, it’s still giving error. So we need to clear the cache. So let’s see, either we can go like new and d go like this way Cisco. com. So let’s see it using our certificate or not. Okay, let’s see it’s giving error or not. This time it hasn’t to be because now we install the certificate in the browser. Now in real world you may face some issue unfortunately when you push the certificate so it’s going only to Chrome and Internet Explorer, but it’s not going to firefox. So you need to create a new rule and active directory to push through that one. That’s the only thing you need to remember for real world. Now certificate, let’s see it’s using as you see issue by firepower certificate test that’s the name which I give but how we can verify? Let’s go to Firepower and go to analysis events and see now the traffic can be even the Cisco traffic is decrypted by our firewall now and here you need to check what is called table view. Let’s see, there should be SSL something okay, there will be a column related to SSL and you will see it will be decrypt and resign. So let’s go there URL and there may be SSL one. So still I cannot see SSL okay, let’s see. The traffic is not yet here, so yeah, there is SSL status, so it should be here. You can see decrypt and resign. That’s what we use. And what is decrypt and resign. We already know that the internal traffic. So somebody is going to from here to here. It says allowed one three is my system. This system. Okay, if you want to see the IP. So let me show you IP config. So this one is one three. So they say one three is going to Cisco. This is Cisco IP USA. And we decrypt the packet is mentioned here as well, cisco. So we decrypt the packet using Chrome and we are using Chrome.

Yes, and then it will be sent to Cisco. And from Cisco the packet came, they can check and then they can allow if it is allowed. So in this way now, if somebody is reaching to Malware website, which is Https based, so it will be block. If we are using, let me show you, by the way, we will do their test in intrusion policy and malware policy. But anyway, if we are using, I can show you that one, it will decrypt that website. So in this way you cannot bypass the firewall. But if you are not using SSL decryption, keep in mind so you can easily bypass and every interview security related, they are asking this question how the firewall see the traffic and how they are blocking and if we have a SSL traffic. So tell me how SSL is working and how the firewall will stop that. Because we know that nobody can see the traffic of SSL and TNS. So how the firewall can see. So that means that you need to know this SSL decryption concept, which is very important for every next generation firewall. Without this SSL decryption, none of the firewall of next generation is just good for nothing and shortcut. So let me go back if I missed something. So we install the certificate temporary location. Then we open that place and from there we export the certificate. Then we import. In this case I import to Chrome. But in this screenshot I use Mozilla. So it’s up to you. You can use any browser. So I import them and then we see decrypt resign. Because you are using only one method, you can exclude many website using do not decrypt like many website which I told you. Okay, so this is the way how SSL decryption policy work. And we create SSL. Then we integrate to access control policy. But it was required certificates. We create certificate locally. It can be by certificate to import and it can be from Windows Server certificate to import them here. And it can be locally within the firewall. So we done that. Part one we create locally inside the firewall. And we used that certificate.

• Category: Uncategorized