Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
830
Views
0
Helpful
5
Replies

FTD Transparent

Saad1
Level 1
Level 1

‎04-15-2018 02:48 AM - edited ‎02-21-2020 07:38 AM

We need to implement a new FTD as transparent mode in our network where it will put between the first stage of firewall and Perimeter Firewall and we need to pass all traffic " Web and Email traffic " through this device where we need to inspect all traffic.

 

We're using Web security appliance and Email security appliance and we have CA so my questions are:

 

1. Which certificate have we use to inspect all traffic " Web and Email " ?

2. Which requirements do we have before our Implementation and steps of implementations?

 

BR,

Saad

 

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-15-2018 07:39 AM

If you already have WSA and ESA then they inspect your web and email traffic respectively.

 

Why would you want to also add the FTD as an additional inspection explicitly for those traffic types? You can just use it in normal IPS mode and don't do anything special for web and email on it.

 

Decryption is a very deep topic. Very few organizations elect to decrypt outbound web traffic with FTD. Doing so requires a significant effort and is a challenge that's not easily answered in a support community thread. It should instead be part of a well-thought-out project executed by competent systems engineers.

0 Helpful

Saad1
Level 1
Level 1
In response to Marvin Rhoads

‎04-15-2018 08:04 AM

Thank you for your reply Marvin.

 

I'm already Web and Email security appliance but the customer needs FTD as second phase for inspection and needs the malicious traffic to go to SIEM solution at another branch.

 

So we need to decrypt the traffic to inspect it.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Saad1

‎04-15-2018 09:47 PM

I've never seen anyone chain together decryption. To do so successfully each step would have to trust the certificate of the next one. For instance, client trust WSA certificate, WSA trusts FTD certificate and FTD decrypts and re-signs traffic destined for the Internet.

 

Even when it it is only FTD involved it's a hard problem as a large and increasing number of sites and services do not allow decryption and doing so will break the application (Dropbox, iTunes, Google services etc.).

 

Generally speaking you're better off supplementing solutions such as are already in place with endpoint-based ones such as Umbrella and AMP for Endpoints.

 

If I was going to undertake what you're trying to do, I would try it in a lab first to validate the concept and then deploy it very carefully, starting with a small group of pilot users.

0 Helpful

Saad1
Level 1
Level 1
In response to Marvin Rhoads

‎04-16-2018 01:20 AM - edited ‎04-16-2018 01:34 AM

Thanks Marvin.

 

BR,

Saad

0 Helpful

Saad1
Level 1
Level 1
In response to Marvin Rhoads

‎04-16-2018 05:53 AM

I will provide you my topology and please provide me the steps of implementation of FTD transparent:

 

1. We have Forcepoint Firewall and it's a gateway of users and it has two another zones for WSA and ESA.

 

2. The outside interface is connecting to another UTM " Cisco ASA ".

 

3. We need to put the FTD between Forcepoint and Cisco ASA in transparent mode where we need this device decrypt the whole traffic of Web and Email then inspect it.

 

Note. We will use FTD 2110

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card