Cisco Cisco Firepower Management Center 4000

The SSL preprocessor requires TCP stream preprocessing. If TCP stream preprocessing is disabled 
and you enable the SSL preprocessor, you are prompted when you save the policy whether to enable 
TCP stream preprocessing. See 

 and 

 for more information.

When an intrusion rule that requires this preprocessor is enabled in an intrusion policy where the 
preprocessor is disabled, you must enable the preprocessor or choose to allow the system to enable 
it automatically before you can save the policy. For more information, see 

For more information, see the following sections:

Protection

The SSL preprocessor stops inspection of encrypted data, which can help to eliminate false positives. 
The SSL preprocessor maintains state information as it inspects the SSL handshake, tracking both the 
state and SSL version for that session. When the preprocessor detects that a session state is encrypted, 
the system marks the traffic in that session as encrypted. You can configure the system to stop processing 
on all packets in an encrypted session when encryption is established. 

For each packet, the SSL preprocessor verifies that the traffic contains an IP header, a TCP header, and 
a TCP payload, and that it occurs on the ports specified for SSL preprocessing. For qualifying traffic, 
the following scenarios determine whether the traffic is encrypted:

the system observes all packets in a session, 

 is not enabled, and the session 

includes a Finished message from both the server and the client and at least one packet from each 
side with an Application record and without an Alert record

the system misses some of the traffic, 

 is not enabled, and the session includes 

at least one packet from each side with an Application record that is not answered with an Alert 
record