Cisco Cisco FirePOWER Appliance 7020
25-70
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Using the SSL Preprocessor
This section explains how to configure the SSH preprocessor.
To configure the SSH preprocessor:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
SSH Configuration
under Application Layer Preprocessors is
enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The SSH Configuration page appears. A message at the bottom of the page identifies the intrusion policy
layer that contains the configuration. See
layer that contains the configuration. See
for more
information.
Step 5
You can modify any of the options on the SSH Configuration preprocessor page. See
for more information.
Step 6
Optionally, click
Configure Rules for SSH Configuration
at the top of the page to display rules associated with
individual options.
Click
Back
to return to the SSH Configuration page.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Using the SSL Preprocessor
License:
Protection
Although the system cannot analyze the contents of encrypted traffic, an SSL preprocessor option can
be set to continue to attempt to inspect the traffic, occasionally generating false positives and wasting
detection resources. Using the SSL preprocessor, however, the system can analyze the contents of the
handshake and key exchange messages exchanged at the beginning of an SSL session to determine when
the session becomes encrypted. When SSL preprocessing is active, you can cause the system to suspend
inspection of a session as soon as it becomes encrypted. You must ensure that TCP stream preprocessing
is enabled to use the SSL preprocessor.
be set to continue to attempt to inspect the traffic, occasionally generating false positives and wasting
detection resources. Using the SSL preprocessor, however, the system can analyze the contents of the
handshake and key exchange messages exchanged at the beginning of an SSL session to determine when
the session becomes encrypted. When SSL preprocessing is active, you can cause the system to suspend
inspection of a session as soon as it becomes encrypted. You must ensure that TCP stream preprocessing
is enabled to use the SSL preprocessor.
Note the following when using the SSL preprocessor: