A while ago the "HTTPS Inspection" feature was announced.
This appears to have moved from Alpha to Beta. We are trialling it out on 15.21 - and it is now working reliably. On an MX67 (with only a small number of test users) we are able to get 450Mb/s using speedtest.net.
So it is starting to look a bit more serious and usable for those interested. Personally, we'll probably stick to using Cisco Umbrella for those actually wanting this capabilitity, but if you want a one box solution then it is now plausible.
Though I'm sharing your views on Decryption, this is nevertheless great news! We definitely have some clients wanting to jump onto that wagon and your testing sounds as if this isn't going to be turning out as a disaster.
Guess it stillt has to be requested via support case?
Interesting, so the potential throughput loss may be less awful than predicted? At least in environments with only a few users.
I'm also a fan of other methods, since intentional Mallories in the middle give me hives. We use Umbrella in my office and across several dozen client deployments representing hundreds of users. Small sample size, I know, but we've been very happy with the results.
Are you able to exempt any sites from the HTTPS inspection, or is this a binary setting?
A bit off topic but you here using ThreatGrid sub in addition to MXs with Advanced security and AMP enabled? I looked into the latest and found that Cisco has a new TG daily sample subscription pending in prelaunch hold. This seems to be more proper priced to SMB compared to the TG Cloud sub with at least 3 users on TG portal actually executing the files and anomalies that AMP does not know for sure.
After trying out TLS decryption for a week I've found the biggest issue is you can not whitelist domains that don't work.
We found several apps that provide end to end encryption no longer work - such as WhatsApp web. Also the Cisco ASDM no longer worked.
Hey Philip, thank you for the follow up on the issue about the TLS decryption.
Can you clarify about the impossibility to whitelist domains and apps ? There this section (in bellow) in the documentation that you posted first, based on it, are you saying that it doesn't work ? or is something different ?
Configure Layer 3 and 7 whitelist options
Navigate to the Security & SD-WAN > Threat Protection page.
L7 whitelist: Specify destination hostnames that should be exempt from HTTPS inspection. Use wild cards by prefixing the hostname entry with an asterisk. For example, *.example.com will match www.example.com .
Note: The L3 and L7 whitelist configurations apply to all clients affected by HTTPS inspection, including those with inspection applied via group policy.
Critical note in the KB:
IMPORTANT: HTTPS inspection is still in development and in beta. This feature is in testing and not recommended for production networks. It might end up breaking certain existing features and impact network traffic adversely. Please refrain from utilizing this as a production solution.
I have tried to follow the link you have provided, however, it's asking for a login that I don't appear to have.
My CCO login, Meraki Partner and Meraki Dashboard log in don't seem to be accepted.
Is this information stored in another loaction?
So are Meraki still supporting HTTPS packet inspection? Is this still only available in Beta or is the being dropped in favor of directing HTTPS inspection to Cisco Umbrella Subscription service?
I guess they've dropped it because of its implications (performance impact as well as functionality issues) in favor of Umbrella. At least that'd make perfect sense.