Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HTTPS Inspection - TLS/SSL Decryption

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 25 2019 4:27 PM
‎Nov 25 2019 4:27 PM

HTTPS Inspection - TLS/SSL Decryption

A while ago the "HTTPS Inspection" feature was announced.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection 

 

This appears to have moved from Alpha to Beta.  We are trialling it out on 15.21 - and it is now working reliably.  On an MX67 (with only a small number of test users) we are able to get 450Mb/s using speedtest.net.

 

So it is starting to look a bit more serious and usable for those interested.  Personally, we'll probably stick to using Cisco Umbrella for those actually wanting this capabilitity, but if you want a one box solution then it is now plausible.

15 Replies 15
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 26 2019 12:34 AM
‎Nov 26 2019 12:34 AM

Though I'm sharing your views on Decryption, this is nevertheless great news! We definitely have some clients wanting to jump onto that wagon and your testing sounds as if this isn't going to be turning out as a disaster.

 

Guess it stillt has to be requested via support case?

0 Kudos
Roska
A model citizen
‎Nov 26 2019 2:16 AM
‎Nov 26 2019 2:16 AM

Thanks for your interesting feedback @PhilipDAth 

0 Kudos
Nash
Kind of a big deal
‎Nov 26 2019 6:34 AM
‎Nov 26 2019 6:34 AM

Interesting, so the potential throughput loss may be less awful than predicted? At least in environments with only a few users.

 

I'm also a fan of other methods, since intentional Mallories in the middle give me hives. We use Umbrella in my office and across several dozen client deployments representing hundreds of users. Small sample size, I know, but we've been very happy with the results.

 

Are you able to exempt any sites from the HTTPS inspection, or is this a binary setting?

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
Roska
A model citizen
‎Nov 26 2019 11:52 PM
‎Nov 26 2019 11:52 PM

A bit off topic but you here using ThreatGrid sub in addition to MXs with Advanced security and AMP enabled? I looked into the latest and found that Cisco has a new TG daily sample subscription pending in prelaunch hold. This seems to be more proper priced to SMB compared to the TG Cloud sub with at least 3 users on TG portal actually executing the files and anomalies that AMP does not know for sure.

0 Kudos
In response to Roska
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 27 2019 12:53 PM
‎Nov 27 2019 12:53 PM

I've never used ThreatGrid so can't comment on that one.

0 Kudos
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 1 2019 12:15 PM
‎Dec 1 2019 12:15 PM

After trying out TLS decryption for a week I've found the biggest issue is you can not whitelist domains that don't work.

 

We found several apps that provide end to end encryption no longer work - such as WhatsApp web.  Also the Cisco ASDM no longer worked.

0 Kudos
In response to PhilipDAth
rrocha
Getting noticed
‎Dec 5 2019 8:58 AM
‎Dec 5 2019 8:58 AM

Hey Philip, thank you for the follow up on the issue about the TLS decryption.

Can you clarify about the impossibility to whitelist domains and apps ? There this section (in bellow) in the documentation that you posted first, based on it, are you saying that it doesn't work ? or is something different ?

Thanks.

 

"""

  1. Configure Layer 3 and 7 whitelist options

    1. Navigate to the Security & SD-WAN > Threat Protection page.

    2. L3 whitelist: Specify source IPs of clients that should be exempt from HTTPS inspection. 

    3. L7 whitelist: Specify destination hostnames that should be exempt from HTTPS inspection. Use wild cards by prefixing the hostname entry with an asterisk. For example, *.example.com will match www.example.com .  

Note: The L3 and L7 whitelist configurations apply to all clients affected by HTTPS inspection, including those with inspection applied via group policy.

"""

In response to rrocha
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 5 2019 11:48 AM
‎Dec 5 2019 11:48 AM

I never spotted that bit.  That should do it.

0 Kudos
In response to PhilipDAth
AI007
Meraki Employee
Meraki Employee
‎Aug 25 2021 2:48 PM
‎Aug 25 2021 2:48 PM

Now have Application Allow list for MX16+ firmware:Screen Shot 2021-08-25 at 2.50.14 PM.png

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 25 2021 2:58 PM
‎Aug 25 2021 2:58 PM

I never expected that this comes a reality ...

Ok, have to change my mind on it. Especially as the Umbrella SIG package is quite expensive.

0 Kudos
In response to KarstenI
AI007
Meraki Employee
Meraki Employee
‎Aug 25 2021 3:19 PM
‎Aug 25 2021 3:19 PM

Critical note in the KB:

IMPORTANT: HTTPS inspection is still in development and in beta. This feature is in testing and not recommended for production networks. It might end up breaking certain existing features and impact network traffic adversely. Please refrain from utilizing this as a production solution.

 

0 Kudos
TBee
Here to help
‎Nov 15 2021 1:28 AM
‎Nov 15 2021 1:28 AM

Hi Philip,

 

I have tried to follow the link you have provided, however, it's asking for a login that I don't appear to have.

 

My CCO login, Meraki Partner and Meraki Dashboard log in don't seem to be accepted.

 

Is this information stored in another loaction?

0 Kudos
In response to TBee
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 15 2021 1:49 AM
‎Nov 15 2021 1:49 AM

It looks like the link has been removed.  I can't find it anywhere else.

0 Kudos
In response to PhilipDAth
TBee
Here to help
‎Nov 15 2021 2:50 AM
‎Nov 15 2021 2:50 AM

So are Meraki still supporting HTTPS packet inspection? Is this still only available in Beta or is the being dropped in favor of directing HTTPS inspection to Cisco Umbrella Subscription service?

0 Kudos
In response to TBee
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 15 2021 3:56 AM
‎Nov 15 2021 3:56 AM

I guess they've dropped it because of its implications (performance impact as well as functionality issues) in favor of Umbrella. At least that'd make perfect sense.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.