Cisco WSA HTTPS Decryption

Mandeep singh5 · ‎03-05-2024

Hello Team,

We have Cisco WSA S695 Appliance and previously we were using decryption for all traffic due to which we faced the high proxy CPU utilization. Now we're using a decryption policy for certain traffic in which we decrypt some predefined categories.

But here we were facing two major issues. First is that the traffic which is not decrypting is getting blocked and In access policies, we have allowed it. I doubt that nod-decrypted traffic is not checking against with web access policies. So how would I achieve this that for certain users only I can decrypt the traffic for the rest it will check against my web access policies.

2nd After enabling the decryption for certain traffic only still my proxy CPU goes more than 90%.

@amojarra

balaji.bandi · ‎03-05-2024

There is good guide below for doing that only certain sites :

https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-741372.pdf

old document has some how the process :

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_12-0/user_guide/b_WSA_UserGuide_12_0/b_WSA_UserGuide_11_7_chapter_01011.html

check below videos : (has decryption video in case you not got one)

https://community.cisco.com/t5/video/gallerypage/user-login/Atazazuddin%20Shaikh

Note : there is are some bugs in CPU high on Version 15.0X code - so make sure you also check with TAC if you hitting that bug rather your decryption policy.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amojarra · ‎03-11-2024

Hello @Mandeep singh5

Hope you are doing well

[1] First is that the traffic which is not decrypting is getting blocked and In access policies, we have allowed it.

if the traffic is not decrypted it will not fit access policy. you need to check the Decryption policy which your request is hitting and see if it is blocked there.

after you decrypt HTTP traffic then WSA will follow the Access policy.

[2] if you need the traffic get decrypted for some users:

[2-1] create ID profile for those users

[2-2] create Custom URL category for the URL(s)

[2-3] create decryption policy and while creating the policy, add the Custom URL CAT in the conditions ( Advanced section )

[2-4] set the action in URL filtering to decrypt

[2-5] create Access Policy for that ID profile + custom URL category and configure the access policy as you wish.

Note: please be advised the order of top to bottom in WSA

[3] for high CPU after decryption gets enabled, this could be due:

[3-1] complex configuration in WSA ( meaning that high number of Custom Car, RegExs, Access policy , Decryption policy , ID profile)

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance/220375-use-secure-web-appliance-best-practices.html

[3-2] high decryption rate ( meaning that you are decrypting too much traffic )

[3-3] WSA is over-loaded ( meaning that the number of requests per seconds are too much , or the current sessions are too much for your current model S100x -S300x - S600x )

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance/220446-troubleshoot-secure-web-appliance-perfor.html

[3-4] could be due to some defect(s) which you need to open a TAC case, we can review the logs from Back-end.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++