Getting Started with SSL Policies
An
SSL policy
determines how the system handles encrypted traffic on your network. You can configure one or more SSL policies. You associate an SSL policy with an access control policy, then apply the access control policy. When the ASA FirePOWER module detects a TCP handshake, the access control policy first handles and inspects the traffic. If it subsequently identifies an SSL-encrypted session over the TCP connection, the SSL policy takes over, handling and decrypting the encrypted traffic. You can have one currently applied SSL policy.
The simplest SSL policy, as shown in the following diagram, directs the device where it is applied to handle encrypted traffic with a single default action. You can set the default action to block decryptable traffic without further inspection, or inspect undecrypted decryptable traffic with access control. The system can then either allow or block the encrypted traffic. If the ASA FirePOWER module detects undecryptable traffic, it either blocks the traffic without further inspection or does not decrypt it, inspecting it with access control.
This chapter explains how to create and apply a simple SSL policy. It also contains basic information on managing SSL policies: editing, updating, comparing, and so on. For more information, see:
A more complex SSL policy can handle different types of undecryptable traffic with different actions, control traffic based on whether a certificate authority (CA) issued or trusts the encryption certificate, and use SSL rules to exert granular control over encrypted traffic logging and handling. These rules can be simple or complex, matching and inspecting encrypted traffic using multiple criteria. After you create a basic SSL policy, see the following chapters for more information on tailoring it to your deployment:
Creating a Basic SSL Policy
License:
Any
When you create a new SSL policy you must, at minimum, give it a unique name and specify a policy default action. You have the following options when selecting a default action for a new policy:
-
Do not decrypt
creates a policy with the Do not decrypt default action.
-
Block
creates a policy with the Block default action.
-
Block with reset
creates a policy with the Block with reset default action.
After you create the SSL policy, you can modify the default action. For guidance on choosing a default action, see Setting Default Handling and Inspection for Encrypted Traffic.
The new SSL policy also contains default actions for traffic the system cannot decrypt: either it inherits the default action you just selected for undecryptable traffic, blocks it, or does not decrypt the traffic and inspects it with access control. You can modify the undecryptable traffic actions after you create the SSL policy. For guidance on selecting undecryptable traffic actions, see Setting Default Handling for Undecryptable Traffic
On the SSL policy page (
Configuration > ASA FirePOWER Configuration > Policies > SSL
) you can view all your current SSL policies by name with optional description. Options on this page allow you to compare policies, create a new policy, copy a policy, view a report that lists all of the most recently saved settings in each policy, edit a policy, or delete a policy.
The following table describes the actions you can take to manage your policies on the SSL Policy page:
Table 15-1 SSL Policy Management Actions
|
|
create a new SSL policy
|
click
New Policy
. See Creating a Basic SSL Policy for more information.
|
modify the settings in an existing SSL policy
|
click the edit icon (
). See Editing an SSL Policy for more information.
|
compare SSL policies
|
click
Compare Policies
. See Comparing SSL Policies for more information.
|
copy an SSL policy
|
click the copy icon (
). See Editing an SSL Policy for more information on editing a copied policy.
|
view a PDF report that lists the current configuration settings in an SSL policy
|
click the report icon (
). See Generating a Report of Current Traffic Decryption Settings for more information.
|
delete an SSL policy
|
click the delete icon (
), then click
OK
. When prompted whether to continue, you are also informed if another user has unsaved changes in the policy.
|
To create an SSL policy:
Step 1 Select
Configuration > ASA FirePOWER Configuration > Policies > SSL
.
The SSL Policy page appears.
Step 2 Give the policy a unique
Name
and, optionally, a
Description
.
You can use all printable characters, including spaces and special characters.
Step 3 Specify the
Default Action
.
Note that you can modify your selected default action after you create your SSL policy. See Setting Default Handling and Inspection for Encrypted Traffic for more information.
Step 4 Click
Store ASA FirePOWER Changes
.
The SSL Policy Editor page appears. See Editing an SSL Policy for more information.
Setting Default Handling and Inspection for Encrypted Traffic
License:
Any
The default action for an SSL policy determines how the system handles decryptable encrypted traffic that does not match any non-Monitor rule in the policy. When you apply an SSL policy that does not contain any SSL rules, the default action determines how all decryptable traffic on your network is handled. See Setting Default Handling for Undecryptable Traffic for more information on how the system handles undecryptable encrypted traffic.
The following table lists the default actions you can choose, as well as their effect on encrypted traffic. Note that the system does not perform any kind of inspection on encrypted traffic blocked by the default action.
:
Table 15-2 SSL Policy Default Actions
|
Effect on Encrypted Traffic
|
Block
|
block the SSL session without further inspection
|
Block with reset
|
block the SSL session without further inspection and reset the TCP connection
|
Do not decrypt
|
inspect the encrypted traffic with access control
|
When you first create an SSL policy, logging connections that are handled by the default action is disabled by default. You can change this, as well as the default action itself, after you create the policy.
The following procedure explains how to set the default action for an SSL policy while editing the policy. See Editing an SSL Policy for the complete procedure for editing an SSL policy.
To set the default action of an SSL policy:
Step 1 Select
Configuration > ASA FirePOWER Configuration > Policies > SSL
.
The SSL policy page appears.
Step 2 Click the edit icon (
) next to the SSL policy you want to configure.
The SSL policy editor appears.
Step 3 Select a
Default Action
. See the
SSL Policy Default Actions
table for more information.
Step 4 Configure logging options for the default action as described in Logging Decryptable Connections with SSL Rules.
Step 5 Click
Store ASA FirePOWER Changes
.
The SSL Policy Editor page appears. See Editing an SSL Policy for more information.
Setting Default Handling for Undecryptable Traffic
License:
Any
You can set undecryptable traffic actions at the SSL policy level to handle certain types of encrypted traffic the system cannot decrypt or inspect. When you apply an SSL policy that does not contain any SSL rules, the undecryptable traffic actions determine how all undecryptable encrypted traffic on your network is handled.
Depending on the type of undecryptable traffic, you can choose to:
-
block the connection
-
block the connection, then reset it
-
inspect the encrypted traffic with access control
-
inherit the default action from the SSL policy
The following table describes the undecryptable traffic types:
Table 15-3 Undecryptable Traffic Types
|
|
|
|
Compressed Session
|
The SSL session applies a data compression method.
|
Inherit default action
|
Do not decrypt
Block
Block with reset
Inherit default action
|
SSLv2 Session
|
The session is encrypted with SSL version 2.
Note that traffic is decryptable if the client hello message is SSL 2.0, and the remainder of the transmitted traffic is SSL 3.0.
|
Inherit default action
|
Do not decrypt
Block
Block with reset
Inherit default action
|
Unknown Cipher Suite
|
The system does not recognize the cipher suite.
|
Inherit default action
|
Do not decrypt
Block
Block with reset
Inherit default action
|
Unsupported Cipher Suite
|
The system does not support decryption based on the detected cipher suite.
|
Inherit default action
|
Do not decrypt
Block
Block with reset
Inherit default action
|
Session not cached
|
The SSL session has session reuse enabled, the client and server reestablished the session with the session identifier, and the system did not cache that session identifier.
|
Inherit default action
|
Do not decrypt
Block
Block with reset
Inherit default action
|
Handshake Errors
|
An error occurred during SSL handshake negotiation.
|
Inherit default action
|
Do not decrypt
Block
Block with reset
Inherit default action
|
Decryption Errors
|
An error occurred during traffic decryption.
|
Block
|
Block
Block with Reset
|
When you first create an SSL policy, logging connections that are handled by the default action is disabled by default. Because the logging settings for the default action also apply to undecryptable traffic handling, logging connections handled by the undecryptable traffic actions is disabled by default. For more information on configuring default logging, see Logging Decryptable Connections with SSL Rules.
Note The system cannot decrypt traffic if an HTTP proxy is positioned between a client and your device, and the client and server establish a tunneled SSL connection using the CONNECT HTTP method. The Handshake Errors undecryptable action determines how the system handles this traffic. See Decrypt Actions: Decrypting Traffic for Further Inspection for more information.
Note that if your browser uses certificate pinning to verify a server certificate, you cannot decrypt this traffic by re-signing the server certificate. Because you can still inspect this traffic with access control, it is not handled by the undecryptable traffic actions. If you want to allow this traffic, configure an SSL rule with the Do not decrypt action to match the server certificate common name or distinguished name.
To set the default handling for undecryptable traffic:
Step 1 Select
Configuration > ASA FirePOWER Configuration > Policies > SSL
.
The SSL Policy page appears.
Step 2 Click the edit icon (
) next to the SSL policy you want to configure.
The SSL policy editor appears.
Step 3 Select the
Undecryptable Actions
tab.
The Undecryptable Actions tab appears.
Step 4 For each field, select the action you want to take on the type of undecryptable traffic, or if you want to apply the SSL policy’s default action. See the
SSL Policy Default Actions
table for more information.
Step 5 Click
Store ASA FirePOWER Changes
.
You must apply the associated access control policy for your changes to take effect; see Deploying Configuration Changes.
Editing an SSL Policy
License:
Any
On the SSL policy editor, you can configure your policy and organize SSL rules. To configure an SSL policy, you must give the policy a unique name and specify a default action. You can also:
-
add, edit, delete, enable, and disable SSL rules
-
add trusted CA certificates
-
determine the handling for encrypted traffic the system cannot decrypt
-
log traffic that is handled by the default action and undecryptable traffic actions
After you create or modify an SSL policy, you can associate it with an access control policy, then apply the access control policy. You can also create custom user roles that allow you to assign different permissions to different users for configuring, organizing, and applying policies.
The following table summarizes the configuration actions you can take on the SSL policy editor.
Table 15-4 SSL Policy Configuration Actions
|
|
modify the policy name or description
|
click the name or description field, delete any characters as needed, then type the new name or description.
|
set the default action
|
find more information at Setting Default Handling and Inspection for Encrypted Traffic.
|
set default handling for undecryptable traffic
|
find more information at Setting Default Handling for Undecryptable Traffic.
|
log connections for the default action and undecryptable traffic actions
|
find more information at Logging Decryptable Connections with SSL Rules.
|
add trusted CA certificates
|
find more information at Trusting External Certificate Authorities.
|
assign different rights to different users
|
find more information at Collecting Prerequisite Information to Configure SSL Rules.
|
save your policy changes
|
click
Save
.
|
cancel your policy changes
|
click
Cancel
, then, if you have made changes, click
OK
.
|
add a rule to a policy
|
click
Add Rule
. See Understanding and Creating SSL Rules for more information.
Tip You can also right-click a blank area in the row for a rule and select Insert new rule.
|
edit an existing rule
|
click the edit icon (
) next to the rule. See Understanding and Creating SSL Rules for more information.
Tip You can also right-click the rule and select Edit.
|
delete a rule
|
click the delete icon (
) next to the rule, then click
OK
.
Tip You can also right-click a blank area in the row for a selected rule, select Delete, then click OK to delete one or more selected rules.
|
enable or disable an existing rule
|
right-click a selected rule, select
State
, then select
Disable
or
Enable
. Disabled rules are grayed and marked
(disabled)
beneath the rule name.
|
display the configuration page for a specific rule attribute
|
click the name, value, or icon in the column for the condition on the row for the rule. For example, click the name or value in the
Source Networks
column to display the Networks page for the selected rule. See Tuning Traffic Decryption Using SSL Rules for more information.
|
When you change your configuration, a message indicates that you have unsaved changes. To retain your changes, you must save the policy before exiting the policy editor. If you attempt to exit the policy editor without saving your changes, you are cautioned that you have unsaved changes; you can then discard your changes and exit the policy, or return to the policy editor.
To protect the privacy of your session, after sixty minutes of inactivity on the policy editor, changes to your policy are discarded and you are returned to the SSL Policy page. After the first thirty minutes of inactivity, a message appears and updates periodically to provide the number of minutes remaining before changes are discarded. Any activity on the page cancels the timer.
When multiple users edit the same policy concurrently, a message on the policy editor identifies other users who have unsaved changes. Any user who attempts to save changes is cautioned that his changes will overwrite changes by other users. When the same policy is saved by multiple users, the last saved changes are retained.
To edit an SSL policy:
Step 1 Select
Configuration > ASA FirePOWER Configuration > Policies > SSL
.
The SSL Policy page appears.
Step 2 You have the following choices:
Step 3 Save or discard your configuration. You have the following choices:
-
To save your changes and continue editing, click
Store ASA FirePOWER Changes
.
-
To discard your changes, click
Cancel
and, if prompted, click
OK
.
Your changes are discarded and the SSL Policy page appears.
Applying Decryption Settings Using Access Control
License:
Any
After making any changes to an SSL policy, you must apply the access control policy it is associated with. For more information, see Deploying Configuration Changes.
Keep the following points in mind when applying SSL policies:
-
You cannot delete an SSL policy that has been applied or is currently applying.
-
Applying an access control policy automatically applies the associated SSL policy. You cannot apply an SSL policy independently.
Note In a passive deployment, the system cannot influence the flow of traffic. If you attempt to apply an access control policy that references an SSL policy that blocks encrypted traffic, or that is configured to decrypt traffic by re-signing the server certificate, the system displays a warning. Also, passive deployments do not support decrypting traffic encrypted with the ephemeral Diffie-Hellman (DHE) or the elliptic curve Diffie-Hellman (ECDHE) cipher suites.
To associate an SSL policy with an access control policy:
Step 1 Select
Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy
.
The Access Control Policy page appears.
Step 2 Click the edit icon (
) next to the access control policy you want to configure.
The access control policy editor appears.
Step 3 Select the
Advanced
tab.
Advanced settings for the access control policy appear.
Step 4 Click the edit icon (
) next to General Settings.
The General Settings pop-up window appears.
Step 5 Select an SSL policy from the
SSL Policy to use for inspecting encrypted connections
drop-down.
Step 6 Click
OK
.
Advanced settings for the access control policy appear.
Step 7 Click
Store ASA FirePOWER Changes
.
You must apply the access control policy for your changes to take effect; see Deploying Configuration Changes.
Generating a Report of Current Traffic Decryption Settings
License:
Any
An SSL policy report is a record of the policy and rules configuration at a specific point in time. You can use the report for auditing purposes or to inspect the current configuration.
Tip You can also generate an SSL comparison report that compares a policy with the currently applied policy or with another policy. For more information, see Comparing SSL Policies.
An SSL policy report contains the sections described in the following table.
Table 15-5 SSL Policy Report Sections
|
|
Title Page
|
Identifies the name of the policy report, the date and time the policy was last modified, and the name of the user who made that modification.
|
Table of Contents
|
Describes the contents of the report.
|
Policy Information
|
Provides the name and description of the policy, the name of the user who last modified the policy, and the date and time the policy was last modified.
|
Default Action
|
Provides the default action.
|
Default Logging
|
Provides the default connection logging settings.
|
Rules
|
Provides the rule action and conditions for each rule in the policy, by rule category.
|
Trusted CA Certificates
|
Provides the CA certificates that are automatically trusted if detected traffic is encrypted using these certificates or other certificates within the chain of trust.
|
Undecryptable Actions
|
Provides the action taken on detected types of traffic that cannot be decrypted.
|
Referenced Objects
|
Provides the name and configuration of all individual objects and group objects used in the policy, by type of condition (networks, ports, and so on) where the object is configured.
|
To view an SSL policy report:
Step 1 Select
Configuration > ASA FirePOWER Configuration > Policies > SSL.
The SSL Policy page appears.
Step 2 Click the report icon (
) next to the policy for which you want to generate a report. Remember to save any changes before you generate an SSL policy report; only saved changes appear in the report.
The system generates the report. Depending on your browser settings, the report may appear in a pop-up window, or you may be prompted to save the report to your computer.
Comparing SSL Policies
License:
Any
To review policy changes for compliance with your organization’s standards or to optimize system performance, you can examine the differences between two SSL policies. You can compare any two policies or the currently applied policy with another policy. Optionally, after you compare, you can then generate a PDF report to record the differences between the two policies.
There are two tools you can use to compare policies:
-
The comparison view displays only the differences between two policies in a side-by-side format. The name of each policy appears in the title bar on the left and right sides of the comparison view except when you select
Running Configuration
, in which case a blank bar represents the currently active policy.
You can use this to view and navigate both policies on the web interface, with their differences highlighted.
-
The comparison report creates a record of only the differences between two policies in a format similar to the policy report, but in PDF format.
You can use this to save, copy, print, and share your policy comparisons for further examination.
For more information on understanding and using the policy comparison tools, see:
Using the SSL Policy Comparison View
License:
Any
The comparison view displays both policies in a side-by-side format, with each policy identified by name in the title bar on the left and right sides of the comparison view. When comparing two policies other than the running configuration, the time of last modification and the last user to modify are displayed with the policy name. Differences between the two policies are highlighted:
-
Blue indicates that the highlighted setting is different in the two policies, and the difference is noted in red text.
-
Green indicates that the highlighted setting appears in one policy but not the other.
You can perform any of the actions in the following table.
Table 15-6 SSL Policy Comparison View Actions
|
|
navigate individually through changes
|
click
Previous
or
Next
above the title bar.
The double-arrow icon (
) centered between the left and right sides moves, and the
Difference
number adjusts to identify which difference you are viewing.
|
generate a new policy comparison view
|
click
New Comparison.
The
Select Comparison
window appears. See Using the SSL Policy Comparison Report for more information.
|
generate a policy comparison report
|
click
Comparison Report
.
The policy comparison report creates a PDF document that lists only the differences between the two policies.
|
Using the SSL Policy Comparison Report
License:
Any
An SSL policy comparison report is a record of all differences between two SSL policies or a policy and the currently applied policy identified by the policy comparison view, presented in PDF format. You can use this report to further examine the differences between two policy configurations and to save and disseminate your findings.
You can generate an SSL policy comparison report from the comparison view for any policies to which you have access. Remember to save any changes before you generate a policy report; only saved changes appear in the report.
The format of the policy comparison report is the same as the policy report with one exception: the policy report contains all configurations in the policy, and the policy comparison report lists only those configurations that differ between the policies. An SSL policy comparison report contains the sections described in Generating a Report of Current Traffic Decryption Settings.
Tip You can use a similar procedure to compare access control, network analysis, intrusion, file, system, or health policies.
To compare two SSL policies:
Step 1 Select
Configuration > ASA FirePOWER Configuration > Policies > SSL.
The SSL Policy appears.
Step 2 Click
Compare Policies
.
The Select Comparison window appears.
Step 3 From the
Compare Against
drop-down list, select the type of comparison you want to make:
-
To compare two different policies, select
Other Policy
.
The page refreshes and the Policy A and Policy B drop-down lists appear.
-
To compare another policy to the currently active policy, select
Running Configuration.
The page refreshes and the Target/Running Configuration A and Policy B drop-down lists appear.
Step 4 Depending on the comparison type you selected, you have the following choices:
-
If you are comparing two different policies, select the policies you want to compare from the Policy A and Policy B drop-down lists.
-
If you are comparing the running configuration to another policy, select the second policy from the Policy B drop-down list.
Step 5 Click
OK
to display the policy comparison view.
The comparison view appears.
Step 6 Optionally, click
Comparison Report
to generate the SSL policy comparison report.
The SSL policy comparison report appears. Depending on your browser settings, the report may appear in a pop-up window, or you may be prompted to save the report to your computer.