Understanding HTTPS to Decrypt it James Everett
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda Overview of HTTPS Understanding SSL handshake Working with SSL packet captures Building SSL Policy SSL Policy best practices Troubleshooting SSL in Firepower
Your Presenter James Everett Tech Lead for Firepower TAC 4+ Years of experience 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
This presentation will not cover Firepower Device Manager Firepower Configuration (excluding SSL) TCP stream (Handshakes ) Basic Wireshark usage Web server configurations 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Overview of HTTPS
HTTPS on the web HTTP inside SSL tunnel HTTPS starts as asymmetric encryption Public Key Infrastructure 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Public Key Infrastructure Security of the unknown CERT Cisco.com Cisco.com CERT CERT Cisco.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Public Key Infrastructure Building trust Trusted Certificates CERT CERT CERT CERT CERT Cisco.com CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Public Key Infrastructure Malicious Certificates Trusted Certificates CERT CERT CERT CERT Cisco.com CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Public Key Infrastructure Man in the middle on employees Trusted Certificates Company Certificate Authority CERT CERT CERT CERT CERT Cisco.com CERT Cisco.com CERT CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Public Key Infrastructure Man in the middle on guests Trusted Certificates Company Certificate Authority CERT CERT CERT CERT Cisco.com CERT Cisco.com CERT CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Public Key Infrastructure Stolen private key CERT CERT CERT Cisco.com CERT CERT CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Understanding SSL Handshake
Client Hello Calling an office +192-168-2-1 Ext: www.ciscolive.com English, French, Spanish Video 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Server Hello Company answers www.ciscolive.com English Badge ID 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Certificate Verify the badge ID Ciscolive.com Badge ID C1sc02018 Directory Snort.org Badge ID IPS Snort.org Badge ID IPS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Handshake completed We feel safe talking to him 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Client Hello Let us think security this time 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Server Hello and Certificate Thinking security asymmetrically 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Client Key Exchange This is looking better 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Server Change Cipher Spec Now to complete the handshake 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
SSL Handshake Complete Now we are talking symmetrically 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Working with SSL packet captures
Understanding HTTPS with packet captures High level overview Standard session/deep Dive Decrypt Re-sign
Icon Key Stop and wait TAC Tip Reference Slide Platform specific 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Client Hello Unfiltered and full 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Server Hello Reduced in half 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Certificate Showing their credentials 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Client Key Exchange Here starts the encrypted messages 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Standard SSL Session Example 1 Standard non-decrypted SSL session to www.ciscolive.com Example1.pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Example 1 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Example 1 Wireshark tip for following a stream 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Example 1 HTTP to HTTPS re-direct 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Example 1 HTTP to HTTPS Re-direct zoomed in 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Example 1 HTTPS connection to www.ciscolive.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Client Hello Starting at the top 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Client Hello Cipher Suites 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Client Hello Extensions Server Name Indication (SNI) Issue prior to 6.1 Potential new issue 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Client Hello Extensions continued 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Server Hello 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Certificate Summarized view 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Certificate Take a look before continuing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Certificate Looking into the presented server certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Certificate Manually checking the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Certificate Expanding the extensions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Example 2 Decrypt Re-sign Decrypt Re-sign traffic to www.ciscolive.com Example2.pcap CiscoLiveConnectionEvent-Example2.pdf CiscoLiveConnectionEvent-Example2.csv 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Example 2 Overview of pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Example 2 Verify decryption 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Example 2 Verify decryption continued 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Example 2 PDF of the connection event 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Example 3 Practice your skills (challenging) Example3.pcap FMC.crt (FMC s web certificate) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Example 3 Questions Was this traffic decrypted? How do you know? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Example 3 Answers Was this traffic decrypted? How do you know? Was this a fair question? Yes Serial numbers do not match No 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Example 3 How did you find the serial number difference? FMC.crt Example3.pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Example 3 What if we cannot get the certificate? From another network Example3.pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Example 3 Why is the issuer wrong 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Example 3 A simple checkbox 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Example 3 Reasons Let the client decide to trust this certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Example 4 QUIC A look at QUIC Example4.pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Example 4 Open Chrome and wireshark 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Example 4 QUIC is UDP 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
TAC skills you learned What the SSL Policy is doing How to follow an SSL session From FMC to the wire How to read in-depth: Client Hello Server Hello Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Building SSL Policy
Lab 1: Building the SSL policy Open chrome and select the FMC bookmark Should be the home page Naviage to Object > Object Management Open Lab 1 on your desktop Ca.crt Ca.key.pem Open both files with Notepad++ Right click, edit with Notepad++ 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Importing Certificates 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Importing Certificates Sourcefire 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Importing Certificates Internal CA Import CA Import an Internal CA If generated on Windows, use Certificate Template of Subordinate CA Generate CA Generate a self signed certificate Root CA Generate CSR Sign as a Subordinate CA certificate Windows use Subordinate CA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Importing Certificates Certificate Install Example If you were not given a password you can leave it blank This accepts Base64 or a certificate file.cer.crt.pem.der If you receive a.pkcs12 or.pkcs7 you need to convert it to a.pem Copy the entire Base64 test in the CSR box to a note pad and save it as a.csr It should look similar to below, the important parts are be sure to include the entire text. -----BEGIN CERTIFICATE REQUEST----- -----END CERTIFICATE REQUEST----- Do not add character returns or correct spacing, it could cause issues Use Notepad or something similar, wordpad or Microsoft Word add hidden characters that could cause issues. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Importing Certificates Certificate Example -----BEGIN CERTIFICATE REQUEST----- MIIC6zCCAdMCAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMQ8wDQYDVQQH DAZGdWx0b24xDDAKBgNVBAoMA1RBQzEMMAoGA1UECwwDVEFDMRwwGgYDVQQDDBNG axjlcg93zxiuy2lzy28uy29tmiibijanbgkqhkig9w0baqefaaocaq8amiibcgkc AQEA3P8Q6Kp/LRa+uGqmiHBzyxux63NNRjMfuiRZjAUPWpUPJkooKQs5SwCjuecG BU+aOKe7n6oxmYgNStBCLn0pBHeYYOR4ycTjNs0cyGzLRhkFdvMHfYMSd2oeRN2u X2ZegisTMee0h1+BtmpfuQnCzqTcl3MpfxP8UtjMEixtIr+c5CQdi4WIona8+UQ0 mnodvsgzbtwsaqelmbthfwy/1mfds4zg1ohtobibom6yefu86yuzjaywlilupevl 3iVFCAcjvu02fvGZuPyws+6TsW/+7YVHh2WSXiiIxSU3PuOMyRvQnfiK95JQBChU W1aZ920PKBZMzAIAknFf5nrTvwIDAQABoEEwPwYJKoZIhvcNAQkOMTIwMDAdBgNV HQ4EFgQULVRSd/wf9+EvpfB9DcXMRyglUAswDwYDVR0TAQH/BAUwAwEB/zANBgkq hkig9w0baqsfaaocaqeavncjebpzf2odf7j5ek6dhwkf+lrfnu/dy9xiwmhfaxwb 1p1iS1q93Sekq1uRO+hUGaVEfWr08tCVTrZ69Lo4t8PUHctcspUANCd9bRko1aV3 +4pD2mVudckjHcYmI/kr39BnOSxH0QxkFCGYHhG5nF4Hl4FYcmmhm1QPpkEPadIe J7kUntGJ6QxCIlUZsMMmQIvXVnMc1F2C/QTi20scvEhnX/txJ8GfKqFEsNdjSuk1 dhujvw6nqucyo7mwbbcitxgyszaaw8m2shg4cwdsrbqjuhalegvkogqsxujbgylr 3OMOao+JJMNgKFLKWSuif02Z+bcTHDxB55O1KcG6Aw== 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Importing Certificates 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Undecryptable Actions Compressed Session The SSL session applies a data compression method SSLv2 Session The session is encrypted with SSL version 2 Note that traffic is decryptable if the ClientHello message is SSL 2.0, and the remainder of the transmitted traffic is SSL 3.0. Unknown Cipher Suite The system does not recognize the cipher suite Software update may be required Unsupported Cipher Suite The system does not support decryption based on the detected cipher suite 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Undecryptable Actions Session not cached The SSL session has session reuse Mid-stream pickup (SSL handshake not seen) Snort restart (SSL session tables) Handshake Errors An error occurred during SSL handshake negotiation Unsupported extension in SSL Handshake Extended Master Secret prior to 6.1 would cause this. Decryption Errors An error occurred during traffic decryption Not possible to allow this traffic, if this error occurs the session is blocked. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Using the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Using the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Using the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Using the SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Using the SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Deploy our changes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Deploy our changes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Deploy our changes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Lab 2 Decrypting Traffic RDP into 198.19.10.21 Should be a link on your desktop Administrator/C1sco12345 Navigate to www.ciscolive.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Decrypting traffic Untrusted Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Decrypting traffic Bypassing the untrust warning 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Find the connection event Easy Search 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Find the connection event 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Challenge Navigate to https://www.bankofamerica.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Challenge Why is this happening? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Challenge Answer Images, CSS, other page data is pulled from other sites. Fail because the certificate is untrusted. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Lab 3 Installing the certificate RDP into 198.19.10.21 Should be a link on your desktop Administrator/C1sco12345 Open Lab 1 Double click the CA certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Lab 3 Testing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Challenge Why did I put Chrome/IE in the top right and not include Firefox? Safari is the same as IE in this example 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Challenge Answer Firefox uses it s own Certificate Authority repository. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Install the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Install the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Challenge You just installed the SSL Policy You just installed the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Challenge 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Challenge Answer HSTS is comparing a cached certificate to the newly received Clear cache 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
SSL Policy Best Practices
Typical deployment: Decrypt Resign 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Typical deployment: Decrypt Known-key 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Required before you begin Best Practices Internal root Certificate Authority (CA) Import all CAs in Trusted CA* 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Typical basic policy Decrypt Resign 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Typical basic policy Decrypt Known Key 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Typical basic policy Decrypt Combo 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Good practice policy Aware of government laws 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Good practice policy For general purposes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Good practice Notice 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
What to expect Currently an 80% performance hit May required webserver modifications Perfect Forward Secrecy (ECDHE) does not work in Decrypt Known-key 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Troubleshooting SSL in Firepower
Interpreting the connection events Enable the column Success Error 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Interpreting the connection event Certificate deep dive 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Check the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Check the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Check the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Packet capture on Firepower Threat Defense (firepower) >capture-traffic SHELL Please chose domain to capture traffic from: 0 br1 1 Router Selection? 1 Please specify tcpdump options desired. (or enter? for a list of supported options) Options: ^C Caught interrupt signal Exiting. Ctrl+C to end Always write to a file!!! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Packet capture on Firepower Threat Defense (Lina) SHELL >capture capin interface Inside match tcp host 192.168.10.10 any eq 443 >show capture capture capin type raw-data interface Inside [Capturing - 0 bytes] match tcp host 192.168.10.10 any eq https > > >copy /pcap capture:capin disk0: Source capture name [capin]? Destination filename [capin]?!!!!!!!!!! 353 packets copied in 0.40 secs > 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Client Hello Tuning SHELL >system support ssl-client-hello-tuning SSL Client Hello tuning of attributes ciphers_allow, ciphers_remove, extensions_allow, extensions_remove, curves_allow, curves_remove handshake attribute > system support ssl-client-hello-tuning extensions_remove 16,13172 Using tuning file: /etc/sf/ssl_client_hello.conf Parameter and value successfully added to configuration file. Configuration file contents (defaults added automatically): extensions_remove=16,13172 16 = Application Layer Protocol Negotiation 13172 = Next protocol negotiation You must restart snort before this change will take affect This can be done via the CLI command 'pmtool restartbytype DetectionEngine'. > system support ssl-client-hello-reset Using tuning file: /etc/sf/ssl_client_hello.conf Are you certain that you wish to delete the current SSL tuning configuration file? (y/n) [n]: y This example is used to fix block pages in HTTPS traffic. Configuration file successfully deleted. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Lab 4 Seeing Decryption at a packet level RDP into 198.19.10.21 Should be a link on your desktop Administrator/C1sco12345 Put in place the SSL Policy from Lab 1 Should already be installed SSH into FTD Open putty, should be a saved session (NGFW) admin/c1sco12345 Capture packets Download and inspect 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Lab 4 SHELL >capture capin interface inside buffer 6123456 match tcp host 198.19.10.21 any eq 443 >capture capout interface outside buffer 6123456 match tcp any any eq 443 >show capture capture capin type raw-data interface inside [Capturing - 0 bytes] match tcp host <ip> any eq https capture capin type raw-data interface outside [Capturing - 0 bytes] match tcp host <ip> any eq https --> Now navigate to www.ciscolive.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Lab 4 Testing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Lab 4 SHELL >copy /noconfirm /pcap capture:capin disk0: Source capture name [capin]? Destination filename [capin]?!!!!!!!!!! 353 packets copied in 0.40 secs >copy /noconfirm /pcap capture:capout disk0: Source capture name [capout]? Destination filename [capout]?!!!!!!!!!! 364 packets copied in 0.40 secs >expert #sudo cp /mnt/disk0/capin /ngfw/var/common/capin.pcap Password: #sudo cp /mnt/disk0/capout /ngfw/var/common/capout.pcap Password: 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Lab 4 Retrieve pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Lab 4 Retrieve pcap continued 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Lab 4 Compare the Client Hellos 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Lab 5 Decrypt Known Key Find Outside.cer and outside.key in Certificates Install the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Lab 5 Importing Internal Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Lab 5 Internal Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Lab 5 Rule 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Lab 5 Navigate to 198.18.133.200 from RDP session 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Challenge Why are you getting certificate errors? Is the certificate installed? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Challenge Hint 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Challenge Answer Answer 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Scenarios Based on TAC cases
Scenario 1 Put a block social media URL rule at the top of the SSL policy Navigate to facebook.com, ciscolive.com, cisco.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 1 Questions Is traffic decrypted as expected? Why? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 1 Answers SSL Policy will default to the default action if URL filtering fails lookup. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 1 Answers Continued 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 2 Your company has a wildcard certificate (Outside.cer) Import Outside.cer and Outside.key as an Internal CA This simulates a Public CA Certificate(DigiCert/RapidSSL) Use it to Decrypt Re-sign 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 2 common questions Why can I not use our company s wildcard certificate? This certificate was not meant for this 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 2 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 2 Answer You must use a Subordinate or Root Certificate Authority Certificate When getting CSR signed, Windows in particular requires the Subordinate Certificate Template 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 3 We have a ticket from an end user who cannot get to Facebook.com from their computer 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 3 Domain joined machine Using Active Directory to push out the Root Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 3 Answer Firefox Install the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 4 (Challenging) We have a ticket from an end user who cannot use the Facebook app on their phone. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 4 Certificate pinning can happen with phone app Having the certificate stored in the application to prevent MitM Check SSL Flow Errors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Common Tac cases That you have learned to avoid Certificate not installed on clients Active Directory gives an option to push certificates to domain joined machines. Wrong certificate type Block rule/default action in SSL Policy URL filtering rules 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
TAC Case open template For questions about SSL errors or unexpected actions to speed up the TAC case please open with the following: CSV report output of Connection Events matching this traffic Packet capture Client Sensor Server side Explanation of the applications and errors seen Include any recent changes you are aware of Troubleshoot from the sensor 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Thank you