09-24-2017 01:08 AM - edited 02-21-2020 06:21 AM
Hi all
We have a requirement to provide IPS services on a HA pair of 4100 series FTDs. Specifically there is one flow we need this for. Two clients (servers) need to talk to four servers. The end-to-end path is:
Clients > FTD/IPS > F5 load balancer > Servers
The F5 in this scenario will not perform any SSL offload but will simply provide a VIP and load balance the request to one of the four servers. The SSL handshake will take place directly between the client and server.
I have zero experience with the FTD product so excuse my ignorance. The question I have is that I understand I need to provide the FTD with the private key of the server in order for it to be able to decrypt the flow and run it through the SNORT engine; which private key in this situation do I provide? All four? One bundled?
Thank you
09-24-2017 01:51 AM
You will need to provide the IPS the certificates and private keys used on each of the servers in order to decrypt, inspect and resign the traffic. Of course if they are using a single certificate with SANs or a wildcard certificate then you would need only that one certificate and key pair.
09-24-2017 02:35 AM
Hi Marvin
Thank you for the swift & clear response. This has given me food for thought. The SAN method in particular is a nifty little suggestion which I will ask the customer.
A further question - if they come back say we can't use a SAN certificate, each server must use a unique cert, is it fairly straightforward to create an IPS policy that utilises more than one cert/key?
Thanks
09-24-2017 03:35 AM
Yes - technically it's an SSL Policy which is called out in an Access Control Policy.
While I havent had a use case to do so myself, I know you can select and add multiple certificates in a given SSL policy.
09-24-2017 06:03 AM
Brill, thank you Marvin. I'll search that function out now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: