topic Re: Cisco FirePower URL Blocking in Network Security

Cisco FirePower URL Blocking

burfisaini03 — Fri, 31 Jul 2020 13:09:13 GMT

Hi community

I have a question in-regards to URL blocking. I want to set a rule in policy that would allow me to block all website access except for specific websites, AD users need such as email (owa/outlook client), ticketing system (spiceworks), etc..

How would you guys approach this? The way I have done this is but creating an allow rule to the websites they need access to, and right under creating a block rule with "ANY", however, I have noticed ALLOWED websites are loading very slow, and Outlook takes 5 minutes on its initial boot-up. What am I doing wrong here and is there a better way to approach this?

Thank you in advance

Re: Cisco FirePower URL Blocking

Mohammed al Baqari — Fri, 31 Jul 2020 13:46:33 GMT

Hi,

URL filtering shouldn't cause slowness unless you are doing ssl
interception which is impacting performance because of decryption.

>From CLISH check show cpu and show memory detail

Re: Cisco FirePower URL Blocking

burfisaini03 — Thu, 06 Aug 2020 16:04:10 GMT

Hello Mohammed

We are not using any SSL with this policy.

It's a simple policy that allows internet access to all users, except for specific AD users, that have a "denied ANY" except for couple of websites that I have allowed specifically for these users, placed above this block ANY rule. However, these allowed websites are taking a long time to load, taking up to almost 2-5 minutes. We are also noticing Office 365 online portal doesn't take us to the next steps after sign-in because it's using different URLs in the back-end (for authentication). I hoped by just allowing "microsoft.com, office365.com or outlook.com, etc." would help but like I said there are more urls involved and it sucks I have to go in and allow more and urls just to get one website to work properly. Please let me know if you or anyone else has encountered this issue

Thanks!

Re: Cisco FirePower URL Blocking

Mohammed al Baqari — Fri, 07 Aug 2020 01:38:05 GMT

Hi,

You can refer to o365 online urls guide which includes all the details
published by ms.

For url filtering delay, this is a surprise to see. If you aren't using ssl
policy then I am assuming that the slowness for http websites only. In
this case what actions do you have on the rule (ips, file, etc).

Re: Cisco FirePower URL Blocking

burfisaini03 — Fri, 07 Aug 2020 14:20:39 GMT

I found the Microsoft page with their URL's and IP addresses, there are a lot of addresses and I think URL filtering only supports max up to 50 entries. Do you know if FMC supports wildcards? I may have to shorten a few of them to fit these requirements. Ex. *.microsoft.com

I do have a policy that does Incoming/Outgoing File inspection but nothing else I see that could be impacting this. I don't understand why this would only effect the AD users specified, all other users excluded from this list have no issues, could this be an issue on the AD end and if so, I can't think of reasons why? 😕

Thanks!

Re: Cisco FirePower URL Blocking

Marvin Rhoads — Fri, 07 Aug 2020 14:56:03 GMT

There's a Github repo that has a project for downloading the Microsoft URLs in to FMC as an object which can then be used as needed in an Access Control Policy.

Have a look at it here:

https://github.com/chrivand/Firepower_O365_Feed_Parser