About SSL Policies
An SSL policy determines how the system handles encrypted traffic on your network. You can configure one or more SSL policies. You associate an SSL policy with an access control policy, then apply the access control policy. When the ASA FirePOWER module detects a TCP handshake, the access control policy first handles and inspects the traffic. If it subsequently identifies an SSL-encrypted session over the TCP connection, the SSL policy takes over, handling and decrypting the encrypted traffic. You can have one currently applied SSL policy.
The simplest SSL policy, as shown in the following diagram, directs the device where it is applied to handle encrypted traffic with a single default action. You can set the default action to block decryptable traffic without further inspection, or inspect undecrypted decryptable traffic with access control. The system can then either allow or block the encrypted traffic. If the ASA FirePOWER module detects undecryptable traffic, it either blocks the traffic without further inspection or does not decrypt it, inspecting it with access control.
A more complex SSL policy can handle different types of undecryptable traffic with different actions, control traffic based on whether a certificate authority (CA) issued or trusts the encryption certificate, and use SSL rules to exert granular control over encrypted traffic logging and handling. These rules can be simple or complex, matching and inspecting encrypted traffic using multiple criteria. After you create a basic SSL policy, see the following chapters for more information on tailoring it to your deployment:
-
Managing Reusable Objects describes how to configure reusable public key infrastructure (PKI) objects and other SSL inspection-related objects to enhance encrypted traffic control and decrypt traffic.
-
Logging Connections in Network Traffic describes how to configure logging for encrypted traffic, whether decryptable or undecryptable.
-
Applying Decryption Settings Using Access Control describes how to associate an SSL policy with an access control policy.
-
Getting Started with Access Control Policies describes how to apply an access control policy to a device.
-
Tuning Traffic Flow Using Access Control Rules describes how to configure access control rules to inspect decrypted traffic.
-
Getting Started with SSL Rules describes how to configure SSL rules to handle and log encrypted traffic.
-
Tuning Traffic Decryption Using SSL Rules describes how to configure SSL rule conditions to better match specific encrypted traffic.