History for Decryption Policy
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
QUIC decryption. |
20241030 |
7.6.0 with Snort 3 |
You can configure the decryption policy to apply to sessions running on the QUIC protocol. QUIC decryption is disabled by default. You can selectively enable QUIC decryption per decryption policy and write decryption rules to apply to QUIC traffic. By decrypting QUIC connections, the system can then inspect the connections for intrusion, malware, or other issues. You can also apply granular control and filtering of decrypted QUIC connections based on specific criteria in the access control policy. We modified the decryption policy Advanced Settings to include the option to enable QUIC decryption. |
Easily bypass decryption for sensitive and undecryptable traffic. |
20240808 |
7.6.0 |
It is now easier to bypass decryption for sensitive and undecryptable traffic, which protects users and improves performance. New decryption policies now include predefined rules that, if enabled, can automatically bypass decryption for sensitive URL categories (such as finance or medical), undecryptable distinguished names, and undecryptable applications. Distinguished names and applications are undecryptable typically because they use TLS/SSL certificate pinning, which is itself not decryptable. For outbound decryption, you enable/disable these rules as part of creating the policy. For inbound decryption, the rules are disabled by default. After the policy is created, you can edit, reorder, or delete the rules entirely. New/modified screens: |
Decryption policy. |
20221213 |
7.3.0 |
Feature renamed to decryption policy to better reflect what it does. We now enable you to configure a decryption policy with one or more Decrypt - Resign or Decrypt - Known Key rules at the same time. New/modified screens:
|
TLS 1.3 decryption. |
20220609 |
7.2.0 |
You can now enable TLS 1.3 decryption in an SSL policy's advanced actions. TLS 1.3 decryption requires the managed device run Snort 3. Other options are available as well; for more information, see TLS 1.3 Decryption Best Practices. New/modified screens: |
SSL policy advanced settings. |
20220609 |
7.2.0 |
SSL policy advanced settings New/modified screens: |
Ability to specify handling of URLs having unknown reputation. |
20220609 |
7.0.3 |
For details, see About URL Filtering with Category and Reputation. |
ClientHello modification for Decrypt - Known key rules. |
20220609 |
7.0.3 |
For details, see ClientHello Message Handling. |
Ability to extract the certificate in TLS 1.3 traffic to enable traffic to match URL and application criteria in access control rules. |
20220609 |
New/modified screens: link.For details, see Decryption Policy Advanced Options. |
|
Changes to category and reputation-based URL Filtering. |
20220609 |
7.0.3 |
For details, see About URL Filtering with Category and Reputation. |
TLS crypto acceleration cannot be disabled. |
20220609 |
7.0.3 |
TLS crypto acceleration is enabled on all supported devices. On a managed device with native interfaces, TLS crypto acceleration cannot be disabled. Support for TLS crypto acceleration on threat defense container instances is limited as discussed in the next row of this table. Removed commands:
|
Support for TLS crypto acceleration on one threat defense container instance on a Firepower 4100/9300 module/security engine. |
20220609 |
7.0.3 |
You can now enable TLS crypto acceleration for one threat defense container instance on a module/security engine. TLS crypto acceleration is disabled for other container instances, but enabled for native instances. New/modified commands:
|
TLS/SSL hardware acceleration is now referred to as TLS crypto acceleration. |
20220609 |
7.0.3 |
The name change reflects that TLS/SSL encryption and decryption acceleration is supported on more devices. Depending on the device, acceleration might be performed in software or in hardware. New/modified screens: |
TLS/SSL hardware acceleration enabled by default. |
20220609 |
7.0.3 |
TLS/SSL hardware acceleration is enabled by default on all supported devices but can be disabled if desired. |
Extended Master Secret extension supported (see RFC 7627). |
20220609 |
7.0.3 |
The TLS Extended Master Secret extension is supported for SSL policies; specifically, policies with a rule action of Decrypt - Resign or Decrypt - Known Key. |
Aggressive TLS 1.3 downgrade. |
20220609 |
7.0.3 |
Using the system support ssl-client-hello-enabled aggressive_tls13_downgrade {true|false} CLI command, you can determine the behavior for downgrading TLS 1.3 traffic to TLS 1.2. For details, see the Cisco Secure Firewall Threat Defense Command Reference. |
TLS/SSL hardware acceleration introduced. |
20220609 |
7.0.3 |
Certain managed device models perform TLS/SSL encryption and decryption in hardware, improving performance. By default, the feature is enabled. Affected screen: To view the status of TLS/SSL hardware acceleration, , General page. |
Category and reputation conditions supported. |
20220609 |
7.0.3 |
Access control rules or SSL rules with category/reputation conditions. |
SafeSearch supported. |
20220609 |
7.0.3 |
The system displays an HTTP response page for connections decrypted by the SSL policy, then blocked (or interactively blocked) either by access control rules or by the access control policy default action. In these cases, the system encrypts the response page and sends it at the end of the reencrypted SSL stream. SafeSearch filters objectionable content and stops people from searching adult sites. |
TLS/SSL policy. |
20220609 |
7.0.3 |
Feature introduced. |