MX series - SSL Inspection

SOLVED
alphatango
Conversationalist

MX series - SSL Inspection

Hello,

 

Just wondering if traditional SSL Inspection is a thing on Meraki. (with any of the licenses)

I digging through the internet and found it was in a Meraki beta version, but I cannot find any articles on it.

 

More specifically, looking for outbound SSL inspection where the firewall acts as a proxy for encrypted traffic. (IE with the CA signed cert)

 

Let me know,

 

Thanks! 

1 ACCEPTED SOLUTION
BlakeRichardson
Kind of a big deal
Kind of a big deal

Not supported, it has its uses I grant you that however you are breaking SSL encryption which isn't a good thing and it's a pain because some online systems i.e. ChromeOS management and Apple services will not work if SSL inspection is used and it becomes a game of cat and mouse as you try to get the data you are looking for but not break things. 

View solution in original post

8 REPLIES 8
alemabrahao
Kind of a big deal
Kind of a big deal

I will use the @MilesMeraki words.

 

 

"I'm under the assumption that this might be removed/no longer available. The HTTPS feature on the MX's caused severely degraded throughput once enabled plus an array of other issues.

 

I think the direction now going forward will be to perform the HTTPS/TLS decryption by a SASE security service like Umbrella in-line between the MX and the Internet/SaaS traffic. If you have a look at the updated Sizing guides this also seems to be the "recommended" approach. (https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file).

 

This isn't necessarily a bad thing. SASE security architectures allow for the same security posture and enforcement to be maintained no matter the user's location. This would effectively mean that their HTTPS/TLS traffic would be still decrypted when either on a trusted network or on an un-trusted/un-managed network. Most vendors are now taking this approach to security."

 

Original post: https://community.meraki.com/t5/Security-SD-WAN/HTTPS-Inspection-on-MX/m-p/135063

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

is there a way I can get a confirmation from Meraki TAC? 

You can open a case or call them.

 

https://meraki.cisco.com/meraki-support/overview/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alphatango
Conversationalist

Update. TAC is giving me the run around. They can't find any article to support this works. 

Claim that HTTPS inspection will do what we need but they can't find any articles to prove it.... more updates later.

The HTTPS Inspection feature on Meraki MX devices was in beta testing as of 2019.It seems that the feature might have been removed or is no longer available. The HTTPS feature on the MX’s caused severely degraded throughput once enabled plus an array of other issues.

 

The option I see that you can use instead is integration with Cisco Umbrella.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CptnCrnch
Kind of a big deal
Kind of a big deal

No, SSL Decryption was pulled sometime ago from the MX (for good reasons). IF you really want to decrypt SSL, you'd have to stick to another firewall like Firepower or another vendor's solution.

 

Your best option though is to go the cloud-native way with something linke Cisco Secure Access that will handle a lot more of your (future) tasks.

BlakeRichardson
Kind of a big deal
Kind of a big deal

Not supported, it has its uses I grant you that however you are breaking SSL encryption which isn't a good thing and it's a pain because some online systems i.e. ChromeOS management and Apple services will not work if SSL inspection is used and it becomes a game of cat and mouse as you try to get the data you are looking for but not break things. 

PhilipDAth
Kind of a big deal
Kind of a big deal

What everyone is saying is correct - the old traditional SSL native inspection future was removed - because there was a better solution.

 

Cisco Meraki and Cisco Umbrella natively integrate together.  In fact, the integration is even across multiple product families (MX and MR).
https://documentation.meraki.com/MR/Other_Topics/Automatically_Integrating_Cisco_Umbrella_with_Merak... 

 

And then this evolved even a step further, and (especially for MX) the current iteration is now:

https://documentation.meraki.com/CiscoPlusSecureConnect 

Basically you buy your MX and a "Foundations Essentials" licence.  You can read more about the licence options here:
https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now-_Sites/Cisco__Secu... 

 

So traditional SSL inspection - no.  Modern SSL inspection - yes.

 

If you are in Greenfields, I would jump directly to Foundation Essentials.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels