topic Re: URL Category Block in Network Security

URL Category Block

ssan239 — Thu, 11 May 2023 09:33:19 GMT

Hi Team,

May i know if we configure a Rule with certain unwanted URL Categories to Block on top of the rule base. Will it block only the categories and allow any other traffic from that rule?

Re: URL Category Block

balaji.bandi — Thu, 11 May 2023 09:55:42 GMT

yes it matches the URL it will block only - the order rule top down. (so global rule will catch allowed all )

Re: URL Category Block

Rob Ingram — Thu, 11 May 2023 09:58:20 GMT

@ssan239 the cisco recommendations L3/L4 traffic should come before rules that require inspection (URL filtering in your instance), as inspection L3/L4 can be evaluated quicker and without inspection.

If your rules only contain URL categories to block it will only block those categories.

Re: URL Category Block

Marvin Rhoads — Thu, 11 May 2023 10:03:01 GMT

Yes. It requires the URL Filtering license to block based on category. Assuming you have that, the Block rule will check for the traffic and, if it is found to be destined to a URL categorized among your block categories, it will be blocked.

Any traffic not matching that rule will be evaluated against the subsequent rules in your Access Control Policy.

Re: URL Category Block

ssan239 — Thu, 11 May 2023 10:42:28 GMT

Thanks a lot Balaji, Rob and Marvin for the quick reply.

If it is not matching the category in the block rule then it will continue checking the other rules from top to bottom approach and act based on the other ACLs below the Block URL rule?

I want to be more specific on this. Please help me for better understanding on this.

If i configure a rule on top of my rule base as below:

Src Zone: Any

Dst Zone: Any

Src: Any

Dst: Any

URL Category: Spyware, Phishing

Action: Block

In this case i am blocking on Spyware and Phishing and it is on top of the rule base. So if the traffic is not matching this category, then will the packet be implicitly allowed or will it check the next rules with the IP address config and allow or deny based on the config?

Re: URL Category Block

Rob Ingram — Thu, 11 May 2023 11:13:32 GMT

@ssan239 I would say you should explictly define the SRC (inside) DST (outside) zones and the SRC network (local networks) at a minimum.

Re: URL Category Block

ssan239 — Thu, 11 May 2023 11:27:36 GMT

Any reason Rob?

Re: URL Category Block

Rob Ingram — Thu, 11 May 2023 11:37:31 GMT

@ssan239 if you don't specify the SRC/DST zones and/or networks, all traffic is evaluated against those rules to determine if there is a match. It's more efficient if you are specific when you write the rules.

Re: URL Category Block

ssan239 — Thu, 11 May 2023 11:47:05 GMT

Thank you Rob for clarification.

Apart from all traffic being checked by the rule, Will it allow other category traffic as we are blocking only Spyware and Phishing on top of the rule base?

Re: URL Category Block

Rob Ingram — Thu, 11 May 2023 12:12:05 GMT

@ssan239 traffic that does not match the rule that blocks spyware and phishing will be processed by the other rules in the policy.

Re: URL Category Block

ssan239 — Thu, 11 May 2023 11:55:11 GMT

The same rule allow all the other traffic other than Spyware and Phishing is it? If this is the 1st rule in the policy then it will allow everything else and it will not even check the 2nd policy is it? Sorry for being a pain but need to get complete understanding on this. As i am not getting complete picture with the documents i read.

Re: URL Category Block

Rob Ingram — Thu, 11 May 2023 12:09:21 GMT

@ssan239 traffic that is not spyware or phishing will not match that rule, they will be evaluated by the other rules in the Access Control Policy and permitted/denied accordingly.

Re: URL Category Block

ssan239 — Thu, 11 May 2023 12:21:04 GMT

Thank you Very Much Rob for the clear explanation 🙂

Re: URL Category Block

ssan239 — Tue, 16 May 2023 16:21:49 GMT

Hi Rob,

I am hearing lot of other things about the below policy on top.

Src Zone: Any

Dst Zone: Any

Src: Any

Dst: Any

URL Category: Spyware, Phishing

Action: Block

Will FTD allow any traffic from Outside to Inside 3 to 5 packets through in order for a handshake to establish so it can compare the details with the categories in the rule?

Re: URL Category Block

Rob Ingram — Tue, 16 May 2023 16:37:11 GMT

@ssan239 yes, identification should occur within 3 to 5 packets, or after the server certificate exchange in the TLS/SSL handshake if the traffic is encrypted. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/access-url-filtering.html

Re: URL Category Block

ssan239 — Wed, 17 May 2023 06:25:54 GMT

Thank you Rob,

So this mean any public IP accessing inside server on some random port will be allowed 3-5 packets from the rule above and try TCP handshake or SSL handshake and then see if it is matching the category(Phishing and Spyware). If it doesn't match then it will go ahead with other rules is it?

Re: URL Category Block

Rob Ingram — Wed, 17 May 2023 08:43:08 GMT

@ssan239 I think it's unlikely you are hosting phishing or spyware servers? In which case don't use "any" as the Source Zone, it's inefficient (as mentioned previously). You probably want a rule from Inside to Outside for URL filtering. Then inbound traffic from a public IP addressing will not match the URL filtering rule and be processed by another rule.

Re: URL Category Block

ssan239 — Wed, 17 May 2023 10:45:01 GMT

Thank you Rob,

True, but we do have remote access VPN setup so this has been implemented as Any Source Zone.

Re: URL Category Block

ssan239 — Wed, 17 May 2023 11:15:52 GMT

Hi Rob,

So does it mean it will allow traffic from out to In using this rule? We have Remote Access VPN users coming from outside so implementing the URL category rule for them will also can cause the issue is it?

Sorry for being a pain but trying to get more knowledge to follow the best practice.

Re: URL Category Block

Rob Ingram — Wed, 17 May 2023 11:28:02 GMT

@ssan239 if you don't specify source/destination zone and/or network and just on URL category, then that rule will be processed from any direction (inside to outside and vice versa and any other interface). If you want to follow the best practice, then as stated before don't use "any", specify the source/destination, therefore there is no ambiguity.