Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
0
Helpful
4
Replies

Which Cert For IPS?

Devlin Thornicroft
Level 1
Level 1

‎09-24-2017 01:08 AM - edited ‎02-21-2020 06:21 AM

Hi all

We have a requirement to provide IPS services on a HA pair of 4100 series FTDs. Specifically there is one flow we need this for. Two clients (servers) need to talk to four servers. The end-to-end path is:

 

Clients > FTD/IPS > F5 load balancer > Servers 

 

The F5 in this scenario will not perform any SSL offload but will simply provide a VIP and load balance the request to one of the four servers. The SSL handshake will take place directly between the client and server.

I have zero experience with the FTD product so excuse my ignorance. The question I have is that I understand I need to provide the FTD with the private key of the server in order for it to be able to decrypt the flow and run it through the SNORT engine; which private key in this situation do I provide? All four? One bundled?

 

Thank you

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-24-2017 01:51 AM

You will need to provide the IPS the certificates and private keys used on each of the servers in order to decrypt, inspect and resign the traffic. Of course if they are using a single certificate with SANs or a wildcard certificate then you would need only that one certificate and key pair.

0 Helpful

Devlin Thornicroft
Level 1
Level 1
In response to Marvin Rhoads

‎09-24-2017 02:35 AM

Hi Marvin

 

Thank you for the swift & clear response. This has given me food for thought. The SAN method in particular is a nifty little suggestion which I will ask the customer.

 

A further question - if they come back say we can't use a SAN certificate, each server must use a unique cert, is it fairly straightforward to create an IPS policy that utilises more than one cert/key?

 

Thanks

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Devlin Thornicroft

‎09-24-2017 03:35 AM

Yes - technically it's an SSL Policy which is called out in an Access Control Policy. 

 

While I havent had a use case to do so myself, I know you can select and add multiple certificates in a given SSL policy.

0 Helpful

Devlin Thornicroft
Level 1
Level 1
In response to Marvin Rhoads

‎09-24-2017 06:03 AM

Brill, thank you Marvin. I'll search that function out now. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card