topic Re: Blocking TikTok app on Firepower 2140 in Network Security

Blocking TikTok app on Firepower 2140

net_ad — Fri, 23 Aug 2024 12:58:16 GMT

The 2140s are managed by FMC.

In my ACPs, I have a policy for blocking. In this policy, the main components it is blocking are URLs. We have all the default groups that should be blocked. And we also have a custom list of URLs that we block to. This list is made in Objects> security intelligence> URL lists and feeds.

https://imgur.com/a/admkjnI

The list is just a .txt file that is a master list of 1500+ URLs that we block and I just upload it into FMC. One of the urls on the list is www.tiktok.com, and it works great at blocking access to tiktok from a web browser.

The issue is that the tiktok app is still accessible. Weather it be a windows app or a ios/android phone app, you can still access it that way.

You can see in the screenshot of the access control policy that I did add tiktok and tiktok music app to the block list. That did not block the tiktok app though. I then went into objects>application filters and created a custom filter. I named it Tiktok and in there, also added tiktok and tiktok music app. I then applied that filter to the ACP. Still no luck. Tiktok is still accessible on phones and windows apps.

So I started to watch the logs as I was accessing tiktok from my phone to see what is coming up. I can see the tiktok web application being used, and noticed that everytime it is accessed, it is a different url everytime....

https://imgur.com/a/FHswKip

So my question is, what is the right way to make sure the tiktok app is blocked from our network? Am I doing the app blocking correctly? Is there some type of wildcard url filter I need to put in to block all the random tiktok urls coming up from the app being used? As I said, i am blocking "www.tiktok.com" from web browsers via url filtering, but just cant figure out how to block the actual app.

Thanks!

Re: Blocking TikTok app on Firepower 2140

Marvin Rhoads — Fri, 23 Aug 2024 13:10:22 GMT

Make separate ACP entries for URLs and Apps. Otherwise the rule logic looks to logically combine (Boolean AND) the separate parameters.

Re: Blocking TikTok app on Firepower 2140

Marius Gunnerud — Fri, 23 Aug 2024 15:02:49 GMT

Try making an ACP rule and only include the TikTok app and the source subnets you want to block for.

Re: Blocking TikTok app on Firepower 2140

davparker — Fri, 23 Aug 2024 15:16:22 GMT

Have you tried a rule where you block the detected application? You could try inserting that about the rule that blocks the URL list.

Re: Blocking TikTok app on Firepower 2140

net_ad — Fri, 23 Aug 2024 15:47:32 GMT

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with.

Here is also a link that might make it easier to look at the 3 pictures....

https://imgur.com/a/mkIsJLJ

Re: Blocking TikTok app on Firepower 2140

net_ad — Fri, 23 Aug 2024 15:47:47 GMT

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with.

Here is also a link that might make it easier to look at the 3 pictures....

https://imgur.com/a/mkIsJLJ

Re: Blocking TikTok app on Firepower 2140

net_ad — Fri, 23 Aug 2024 15:46:59 GMT

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with.

Here is also a link that might make it easier to look at the 3 pictures..

https://imgur.com/a/mkIsJLJ

Re: Blocking TikTok app on Firepower 2140

MHM Cisco World — Fri, 23 Aug 2024 16:35:57 GMT

I think you need ssl decrypt'

The FTD can not detect app-id until it decrypt ssl session and see inside packet.

You need to check if traffic is http or https

Sorry you need license I think to run this feature

MHM

Re: Blocking TikTok app on Firepower 2140

net_ad — Fri, 23 Aug 2024 16:51:46 GMT

So how can it block https://www.tiktok.com if it too is using https?

Re: Blocking TikTok app on Firepower 2140

MHM Cisco World — Fri, 23 Aug 2024 16:53:41 GMT

Ssl policy you need

MHM

Re: Blocking TikTok app on Firepower 2140

net_ad — Fri, 23 Aug 2024 16:55:21 GMT

hmm ok. I might need to open a tac case

Re: Blocking TikTok app on Firepower 2140

MHM Cisco World — Fri, 23 Aug 2024 17:01:23 GMT

Sure Open TAC abd check them opinion

aap detect is happened before and after ssl decrypt' so this my view to issue

Goodluck and update us about solution

MHM

Re: Blocking TikTok app on Firepower 2140

net_ad — Fri, 23 Aug 2024 17:03:39 GMT

Yeah not saying I dont trust your opinion, but creating an SSL decryption policy is above my level. Going to open a TAC case to assist with that. Thanks!

Re: Blocking TikTok app on Firepower 2140

MHM Cisco World — Fri, 23 Aug 2024 17:07:21 GMT

Friend

You are so welcome anytime

MHM

Re: Blocking TikTok app on Firepower 2140

davparker — Fri, 23 Aug 2024 18:22:41 GMT

I found the Cisco Secure Firepower documentation on setting up decryption to be lacking. If you are in an Active Directory environment, this video may be useful.

https://www.youtube.com/watch?v=tAIdcZ3EBiw

Once you have the Sub-CA enabled and are able to decrypt traffic, this doc proved quite useful for me in crafting the decryption policy.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3063.pdf

Re: Blocking TikTok app on Firepower 2140

net_ad — Fri, 23 Aug 2024 18:26:34 GMT

Seems like this is going to get more complicated than what I thought