cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HTTPS Inspection - TLS/SSL Decryption

Kind of a big deal

HTTPS Inspection - TLS/SSL Decryption

A while ago the "HTTPS Inspection" feature was announced.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection 

 

This appears to have moved from Alpha to Beta.  We are trialling it out on 15.21 - and it is now working reliably.  On an MX67 (with only a small number of test users) we are able to get 450Mb/s using speedtest.net.

 

So it is starting to look a bit more serious and usable for those interested.  Personally, we'll probably stick to using Cisco Umbrella for those actually wanting this capabilitity, but if you want a one box solution then it is now plausible.

8 REPLIES 8
Building a reputation

Re: HTTPS Inspection - TLS/SSL Decryption

Though I'm sharing your views on Decryption, this is nevertheless great news! We definitely have some clients wanting to jump onto that wagon and your testing sounds as if this isn't going to be turning out as a disaster.

 

Guess it stillt has to be requested via support case?

A model citizen

Re: HTTPS Inspection - TLS/SSL Decryption

Thanks for your interesting feedback @PhilipDAth 

Kind of a big deal

Re: HTTPS Inspection - TLS/SSL Decryption

Interesting, so the potential throughput loss may be less awful than predicted? At least in environments with only a few users.

 

I'm also a fan of other methods, since intentional Mallories in the middle give me hives. We use Umbrella in my office and across several dozen client deployments representing hundreds of users. Small sample size, I know, but we've been very happy with the results.

 

Are you able to exempt any sites from the HTTPS inspection, or is this a binary setting?

A model citizen

Re: HTTPS Inspection - TLS/SSL Decryption

A bit off topic but you here using ThreatGrid sub in addition to MXs with Advanced security and AMP enabled? I looked into the latest and found that Cisco has a new TG daily sample subscription pending in prelaunch hold. This seems to be more proper priced to SMB compared to the TG Cloud sub with at least 3 users on TG portal actually executing the files and anomalies that AMP does not know for sure.

Kind of a big deal

Re: HTTPS Inspection - TLS/SSL Decryption

I've never used ThreatGrid so can't comment on that one.

Kind of a big deal

Re: HTTPS Inspection - TLS/SSL Decryption

After trying out TLS decryption for a week I've found the biggest issue is you can not whitelist domains that don't work.

 

We found several apps that provide end to end encryption no longer work - such as WhatsApp web.  Also the Cisco ASDM no longer worked.

Getting noticed

Re: HTTPS Inspection - TLS/SSL Decryption

Hey Philip, thank you for the follow up on the issue about the TLS decryption.

Can you clarify about the impossibility to whitelist domains and apps ? There this section (in bellow) in the documentation that you posted first, based on it, are you saying that it doesn't work ? or is something different ?

Thanks.

 

"""

  1. Configure Layer 3 and 7 whitelist options

    1. Navigate to the Security & SD-WAN > Threat Protection page.

    2. L3 whitelist: Specify source IPs of clients that should be exempt from HTTPS inspection. 
    3. L7 whitelist: Specify destination hostnames that should be exempt from HTTPS inspection. Use wild cards by prefixing the hostname entry with an asterisk. For example, *.example.com will match www.example.com .  

Note: The L3 and L7 whitelist configurations apply to all clients affected by HTTPS inspection, including those with inspection applied via group policy.

"""

Kind of a big deal

Re: HTTPS Inspection - TLS/SSL Decryption

I never spotted that bit.  That should do it.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.