Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FTD Transparent

We need to implement a new FTD as transparent mode in our network where it will put between the first stage of firewall and Perimeter Firewall and we need to pass all traffic " Web and Email traffic " through this device where we need to inspect all traffic.

 

We're using Web security appliance and Email security appliance and we have CA so my questions are:

 

1. Which certificate have we use to inspect all traffic " Web and Email " ?

2. Which requirements do we have before our Implementation and steps of implementations?

 

BR,

Saad

 

5 REPLIES
Hall of Fame Super Silver

Re: FTD Transparent

If you already have WSA and ESA then they inspect your web and email traffic respectively.

 

Why would you want to also add the FTD as an additional inspection explicitly for those traffic types? You can just use it in normal IPS mode and don't do anything special for web and email on it.

 

Decryption is a very deep topic. Very few organizations elect to decrypt outbound web traffic with FTD. Doing so requires a significant effort and is a challenge that's not easily answered in a support community thread. It should instead be part of a well-thought-out project executed by competent systems engineers.

Community Member

Re: FTD Transparent

Thank you for your reply Marvin.

 

I'm already Web and Email security appliance but the customer needs FTD as second phase for inspection and needs the malicious traffic to go to SIEM solution at another branch.

 

So we need to decrypt the traffic to inspect it.

Hall of Fame Super Silver

Re: FTD Transparent

I've never seen anyone chain together decryption. To do so successfully each step would have to trust the certificate of the next one. For instance, client trust WSA certificate, WSA trusts FTD certificate and FTD decrypts and re-signs traffic destined for the Internet.

 

Even when it it is only FTD involved it's a hard problem as a large and increasing number of sites and services do not allow decryption and doing so will break the application (Dropbox, iTunes, Google services etc.).

 

Generally speaking you're better off supplementing solutions such as are already in place with endpoint-based ones such as Umbrella and AMP for Endpoints.

 

If I was going to undertake what you're trying to do, I would try it in a lab first to validate the concept and then deploy it very carefully, starting with a small group of pilot users.

Community Member

Re: FTD Transparent

Thanks Marvin.

 

BR,

Saad

Highlighted
Community Member

Re: FTD Transparent

I will provide you my topology and please provide me the steps of implementation of FTD transparent:

 

1. We have Forcepoint Firewall and it's a gateway of users and it has two another zones for WSA and ESA.

 

2. The outside interface is connecting to another UTM " Cisco ASA ".

 

3. We need to put the FTD between Forcepoint and Cisco ASA in transparent mode where we need this device decrypt the whole traffic of Web and Email then inspect it.

 

Note. We will use FTD 2110

100
Views
0
Helpful
5
Replies
CreatePlease to create content