topic Re: firepower custom URL feed in ACP rule in Network Security

firepower custom URL feed in ACP rule

tato386 — Wed, 18 Sep 2024 12:36:09 GMT

My understanding is that URL feeds in FirePower SI are updated dynamically and take effect w/o having to do a policy deploy to the FTD. Does the same apply to custom URL feeds used in an ACP rule? My idea would be to create a custom URL feed on a local web server which is then used in an ACP rule. Local admins would have access to the URL feed file on the webserver and can edit this file(s) to block or allow URLs w/o having access to the FMC or FTD. Will this work?

TIA

Re: firepower custom URL feed in ACP rule

Rob Ingram — Wed, 18 Sep 2024 13:06:05 GMT

@tato386 yes, create the custom URL feed and define an update frequency for the FMC to automatically check for updates, policy should not need to deployed.

Re: firepower custom URL feed in ACP rule

tato386 — Wed, 18 Sep 2024 15:46:12 GMT

cool. is there a file or folder on the FTD that I can use to check the status of this feed? I know I can just test by generating some traffic that matches the ACP rule but seems easier just to SSH into the FTD and poke around.

Re: firepower custom URL feed in ACP rule

Rob Ingram — Wed, 18 Sep 2024 15:53:12 GMT

@tato386 try the relevant FTD folder below:-

Re: firepower custom URL feed in ACP rule

tato386 — Wed, 18 Sep 2024 19:15:45 GMT

FTD gets the update pretty quick from the FMC, nice.

you da man!

Re: firepower custom URL feed in ACP rule

MHM Cisco World — Fri, 20 Sep 2024 11:37:42 GMT

Why you correct the URL receive from talos ? and even if you remove some URL you need to do this process each time the talos send update

so there are two list
Block-list and Do-not-block-list
add URL you need to allow under block list
and this way you dont need each time add/remove url from talos list

Re: firepower custom URL feed in ACP rule

tato386 — Fri, 20 Sep 2024 18:40:55 GMT

Hello @MHM Cisco World

I am not interfering with the lists provided by Talos. I am adding additional custom URL feeds for domains that do not appear in Talos. These URL feeds will be used in ACP rules, not SI. For example, let's say I have an ACP rule that blocks the category "Shopping" but I need to make an exception for amazon.com (the users will kill me if I don't allow Amazon, right?). Adding it to SI global-do-not-block will not bypass the ACP block of "shopping" sites. However, I can add an ACP rule before the shopping rule that references my custom URL feed.

Obviously, I can just add URLs manually to this rule but that would require access to FMC and a deployment to the FTD. By storing this feed on a protected server share we can allow authorized non-tech, non-FMC users to add exceptions for domains and also have the change take effect withing minutes without needing a deploy.

We can do similar with domains that we want blocked but in that case I would use the custom feed directly in SI because a block in SI is final and will not go to the ACP.

HTH

Re: firepower custom URL feed in ACP rule

MHM Cisco World — Mon, 23 Sep 2024 10:08:46 GMT

Friends there is fqdn and dns and url

So I think you talking about using fqdn not url, url always done in SI.

Can I see the ACP you use

Thanks alot

MHM

Re: firepower custom URL feed in ACP rule

tato386 — Mon, 23 Sep 2024 18:20:59 GMT

If you create custom feeds they will be available for use in ACP rules. In my case the feed files are simple text files that look like this:

domain1.com

domain2.com

Re: firepower custom URL feed in ACP rule

MHM Cisco World — Fri, 08 Nov 2024 08:04:01 GMT

Sorry I take me some time to reply but really I am busy
anyway

you me confuse and after some deep dive I brief what I get
URL

1- using URL filtering which is use
A- manual URL (object)<<- this what you looking for
B- category URL (need license dynamic feed)

2-URL SI
A- Talos
B- custom list feed <<- this what I was mention above

https://rayka-co.com/lesson/cisco-ftd-url-filtering/#:~:text=Cisco%20FTD%20URL%20Filtering%20Concept&text=Reputations%20are%20from%20trusted%20websites,that%20come%20in%20each%20category.&text=If%20you%20allow%20a%20reputation,levels%20will%20be%20also%20blocked.

MHM