SSL Decryption On Firepower Explained With Simple Terminologies

On Cisco Firepower Threat Defense there are two ways to do SSL Decryption (two actions in the SSL Policy).

Decrypt-Resign: for outbound connection (from an inside PC to an external server).

  • Used for traffic to external servers
  • FTD splits the original session into two: client<—>FTDw<—>server
  • The original server certificate is modified and resigned by FTD

Decrypt-Known-Key: for inbound connection (from an external PC to your internal server).

  • Used for traffic coming to your internal servers
  • Server’s Private Key is uploaded to FTD
  • FTD decrypts the client-server taffic on the fly

For both option, ,need to import the right certificates.

How and where?


Navigate to Object –> Object Management –> PKI

There are two options:

Internal CA

  • Internal CA’s certifcate (or FTD as CA) and Keys
  • Needed for “Decrypt Resign”

Internal Certificate:

  • Your server’s certificate and private key
  • Needed for “Decrypt Known Key”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s