topic > Actually I dont use FTD ,I in Network Security

FTD running in ASA Mode

roberto cotto — Fri, 21 Feb 2020 14:00:58 GMT

does CIsco firesight running ni ASA mode sipport using FQDN in Access-list to allow or block access by ports ex SSh

If you have the Firepower URL

Philip D'Ath — Wed, 15 Feb 2017 03:20:36 GMT

If you have the Firepower URL licence you can definitely block by URL ...

If the ASA software is not too old you can also block by FQDN on the ASA side.

FTD is running in ASA AND

Claudiu Cismaru — Thu, 16 Feb 2017 19:54:06 GMT

FTD is running in ASA AND Firepower mode in the same time. There's no separate way of operations.

You can add URL based rules. Or you can add application (like SSH) or you can add ports.

thanks for the responce

roberto cotto — Tue, 21 Feb 2017 18:41:47 GMT

thanks for the responce

Hi Philip ,

hacizeynal — Wed, 22 Feb 2017 07:32:28 GMT

Hi Philip ,

Although Firepower has this ability ( at least they insist ) they can not block majority of porn sites ,I am totally fed up with these small issues which made me crazy ,all of them are fall to uncategorized category which actually they should not.I know that Checkpoint or PaloAlto has URL report webpages which you can request to change specific site's category .

They block. Maybe there's

Claudiu Cismaru — Wed, 22 Feb 2017 08:50:18 GMT

They block. Maybe there's something wrong on your setup. Or there could be other configuration issues.

what issues ? I dont think

hacizeynal — Wed, 22 Feb 2017 09:46:35 GMT

what issues ? I dont think there is configuration error ,if you want i can share my policy

Well. Assuming that you have

Claudiu Cismaru — Wed, 22 Feb 2017 09:52:37 GMT

Well. Assuming that you have the license active, I need to know what is the ASA model you have. Also the version of the FTD.

If the database is correctly setup on the FTD and the model is not 5506 (where the size of the database is much smaller), you also need to configure the FMC to query the cloud for URLs are not in the database.

Also, check the FQDN you are testing with against brightcloud.com and see what's the category.

Actually I dont use FTD ,I am

hacizeynal — Wed, 22 Feb 2017 09:55:09 GMT

Actually I dont use FTD ,I am using version 6.2 Firepower and my sensor is 5525

I have done it man all of

hacizeynal — Wed, 22 Feb 2017 10:13:21 GMT

I have done it man all of them ! still doesnt work 😞 , Unfortunately I dont have license for opening TAC ,what do you recommend me to do ?

> Actually I dont use FTD ,I

Claudiu Cismaru — Wed, 22 Feb 2017 10:28:09 GMT

> Actually I dont use FTD ,I am using version 6.2 Firepower and my sensor is 5525

Are you using 6.2 as SFR module in ASA? Do you have connection events on the FMC?

I don't really understand your setup. Also, if you don't run FTD (which has a trial 90 days of URL licensing) and you don't have an URL license, what are you trying to achieve will not work.

I am using Firepower ,not FTD

hacizeynal — Wed, 22 Feb 2017 10:58:26 GMT

I am using Firepower ,not FTD ,I have 90 days proper license for this feature ,that's why it should work man

FTD means Firepower Threat

Claudiu Cismaru — Wed, 22 Feb 2017 11:01:35 GMT

FTD means Firepower Threat Defense.

Attach an screenshot of your Access Control Policy.

Also, a screenshot from

Claudiu Cismaru — Wed, 22 Feb 2017 11:03:22 GMT

Also, a screenshot from System -> Integration page, where URL filtering configuration is shown.

FYI

hacizeynal — Wed, 22 Feb 2017 11:25:33 GMT

FYI

hacizeynal — Wed, 22 Feb 2017 11:26:42 GMT

FYI

You're doing it wrong. The

Claudiu Cismaru — Wed, 22 Feb 2017 11:47:06 GMT

You're doing it wrong. The URL categories should be configured on the URLs tab of the ACP rule, not on the Applications.

Please check the documentation for further information:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Rules__URL_Filtering.html#ID-2189-000001c1

I am sorry I did wrong screen

hacizeynal — Wed, 22 Feb 2017 11:55:53 GMT

I am sorry I did wrong screen ,it should be like that .

Have an endpoint where you

Claudiu Cismaru — Wed, 22 Feb 2017 12:08:56 GMT

Have an endpoint where you can troubleshoot from (used to try to access one of the destinations in those categories). Is recommended that endpoint to not generate too much other traffic

Open a ssh connection to the FTD's management IP. From cli, run:

system support firewall-engine-debug

Provide the filtering info, like this:

Please specify an IP protocol: tcp
Please specify a client IP address: your_endpoint_IP_address
Please specify a client port:
Please specify a server IP address:
Please specify a server port:

Now, while it runs, access one of the websites. Stop the debug with CTRL+C. Grab the output and add it in here.