topic Re: Cisco FTD URL Filtering rule issues in Network Security

Cisco FTD URL Filtering rule issues

telesymbol — Fri, 13 May 2022 19:52:27 GMT

Dear All,

we've installed two 2130 FTDs in HA, managed with FMCv, we've configured a rule to block facebook & Youtube. on the Application tab we've selected HTTP & HTTPS plus on the URL tab we've added facebook.com & youtube.com urls. but the traffics are passing and please advise on the issue.

FMC version 7.0.1, FTD version 6.6.1

Regards

Re: Cisco FTD URL Filtering rule issues

Sheraz.Salim — Sat, 14 May 2022 08:41:43 GMT

could you confirm your rule blocking facebook and youtube there is no allow any any on above/top of it. what you can do Is to change the rule number. Forexample put your block rule on No1 on the ACP policy and check it. Also it seem you have URL lic as you mentioned that you put the web address in URL too.

Re: Cisco FTD URL Filtering rule issues

MHM Cisco World — Sun, 15 May 2022 11:57:24 GMT

I think for FTD there is Blacklist and whitelist for Web, you must include these Web site to this list.
this list is override the other ACL.

Re: Cisco FTD URL Filtering rule issues

Marius Gunnerud — Sun, 15 May 2022 20:31:25 GMT

Could you post the log entry for the traffic that is being allowed which should be denied.

My initial thought is that this traffic is not matching on the Application field. I suggest you use port tcp/80 and tcp/443 instead of application.

Re: Cisco FTD URL Filtering rule issues

telesymbol — Tue, 17 May 2022 09:09:46 GMT

Dear All,

the rule is placed on top of all rules. and for test purpose we've blocked other sites like BBC, CNN, Gmail and others and works as expected but not for facebook and youtube. our FTD version was 6.6.1, upgraded it to 6.6.5 but nothing changed. we've disabled all DNS rules, do we need to create SSL policy for URL filtering ?

regards

Re: Cisco FTD URL Filtering rule issues

Marius Gunnerud — Tue, 17 May 2022 10:42:18 GMT

Again, as I mentioned in my previous post, you need to look at the logs that are allowing facebook.com and youtube.com. My initial thought, as also mentioned earlier, is that you are not matching on http and https application field. I suggest using ports http and https or just remove that and only match on the URL. Optionally you could check if there is a Facebook and YouTube application you can match on.

Re: Cisco FTD URL Filtering rule issues

telesymbol — Tue, 17 May 2022 18:57:32 GMT

please find attached screen shots of the policy configured. regarding the logs i found some logs for facebook labeled blocked but its accessible by chrome bowser on some PCs but not on firefox and edge and vice versa on the rest of PCs.

there is no log for youtube, but accessible on all browsers

Re: Cisco FTD URL Filtering rule issues

MHM Cisco World — Tue, 17 May 2022 19:29:27 GMT

https://www.lookingpoint.com/blog/whitelist/blacklist-ips-and-urls-in-fmc

check this.

Re: Cisco FTD URL Filtering rule issues

Marius Gunnerud — Tue, 17 May 2022 20:24:38 GMT

I suggest creating a separate rule that denies Facebook and YouTube. The new rule should only match on Facebook and YouTube application, do not include URL. And then test.

Re: Cisco FTD URL Filtering rule issues

SinghRaminder — Tue, 17 May 2022 20:58:09 GMT

Any proxy in between the Client and the Firepower or your FTD is acting as proxy?

As others mentioned, create two separate rules, if you need, use Facebook and Youtube for applications only and another rule for URL

Re: Cisco FTD URL Filtering rule issues

SinghRaminder — Tue, 17 May 2022 21:31:04 GMT

Also take the debug with :

System support debug-firewall-engine

Use the parameters like tcp source ip, destination fqdn and it will give you the rule you are matching, will come to know what you are missing.

Re: Cisco FTD URL Filtering rule issues

Sheraz.Salim — Wed, 18 May 2022 00:18:38 GMT

Change your rule from "Block with rest" to "Block".

most probably if inside traffic tcp is going to facebook/youtube as tcp syn and it getting the syn-ack where as your rule does say Block with rest. try to but Block.

also as mentioned use the command "System support debug-firewall-engine" on your FTD cli.

system support firewall-engine-debug

Please specify an IP protocol: tcp
Please specify a client IP address: x.x.x.x
Please specify a client port:
Please specify a server IP address: youtube/facebook
Please specify a server port:
Monitoring firewall engine debug messages

you can get the youtube/facebook ip addresses from your event logs so you can test them and check the output

Re: Cisco FTD URL Filtering rule issues

telesymbol — Thu, 19 May 2022 19:41:59 GMT

Dear All,

Finally we've configured DNS Policy with a rule that blocks facebook.com and youtube.com domains and applied on the ACP. at the moment we're able to block both facebook and youtube. but there are some users who need access to facebook and youtube. please advise how to exceptionally allow them

reagrds

Re: Cisco FTD URL Filtering rule issues

SinghRaminder — Thu, 19 May 2022 20:02:14 GMT

There are some ways:

1. If you have AD integration, use it for allowing and move it to the top in ACP

2. If you have SGT, you can do that with ISE as well ACP

3. Assign then a different VLAN and use Source Group with that range and allow it

4. Assign them reserved IP and add them to the allowed list

Other than that, i may be missing something, experts - please let me know as well

Re: Cisco FTD URL Filtering rule issues

Marius Gunnerud — Sat, 21 May 2022 21:04:15 GMT

Depending on how many users need to access facebook and youtube I would consider my options in the following order:

1. you might want to consider giving them static IPs as this will be much easier to manage

2. set up AD connectors for the FMC, and then make rules that match on the users AD accounts or AD groups they are member of.

3. I would not even consider SGT for this solution unless you plan on implementing it throughout your network. The financial and technical cost of implementing this far exceeds the rewards for just a few users.

Re: Cisco FTD URL Filtering rule issues

telesymbol — Wed, 01 Jun 2022 13:48:11 GMT

we've achieved this by creating different DNS rules

Re: Cisco FTD URL Filtering rule issues

mingho — Thu, 06 Oct 2022 11:24:56 GMT

Hello,

We are not successful applying DNS Policy blocks for youtube.com. Works for Firefox but not Chrome. Do you mind sharing your settings?

Regards