topic Re: Url and application filtering on FTD in Network Security

Url and application filtering on FTD

Vishal6 — Mon, 23 Jun 2025 12:14:11 GMT

Hello,

Wants to deployed MX105 at core level and FTD at perimeter level in our network. However i have procure utm licenses for MX appliances, not for FTD.

1. Can i achieve the url filtering at FTD after it gets filter from MX.

2. Wants to achieve load balancing using Meraki MX (using as a core FW) where FTD will be perimeter.

Attached diagram for reference.

Re: Url and application filtering on FTD

MHM Cisco World — Mon, 23 Jun 2025 12:31:08 GMT

It ok to use ftd url filter after other fw (except it will little slow your traffic if first fw also use url filter)

For other Q can you more elaborate

Thanks

MHM

Re: Url and application filtering on FTD

Vishal6 — Mon, 23 Jun 2025 12:33:42 GMT

One more query,

As we are not directly connecting Mx to Internet, how warm spare works here ?.

Would MX capture both isp ip address via FTD

Will using single private uplink ip address (Link between FTD and MX) able to form warmspare ?

Re: Url and application filtering on FTD

Aref Alsouqi — Mon, 23 Jun 2025 16:21:57 GMT

Yes it should work, because from the MXs perspective they just need to be connected to Meraki dashboard, it doesn't really matter if they are connected directly to the internet or via another device as in your case. When the primary MX doesn't reach the Meraki dashboard anymore it will be assumed that is down and the secondary MX will become the primary. In your shared diagram there are no links between the switches, I'm assuming the switches will be connected to each other and both firewalls will be connected to each switch. That will provide you full resiliency. Regarding using URL filtering on the MX, as already mentioned, that shouldn't be an issue, you can turn on whichever security features on the MX and do part of the security inspections on them and leave the rest for the FTDs based on the licenses installed.

Re: Url and application filtering on FTD

Vishal6 — Wed, 25 Jun 2025 06:03:05 GMT

What if FTD don't have any threat, malware and url filtering license? Still it will process the traffic coming via Mx

Re: Url and application filtering on FTD

Vishal6 — Wed, 25 Jun 2025 06:05:46 GMT

What about sdwan features on MX ?. Will it do load balancing as public IP link directly terminated on FTD and it (FTD) mostly use usp link for redundancy

Re: Url and application filtering on FTD

Aref Alsouqi — Wed, 25 Jun 2025 13:26:12 GMT

I don't think that will work because even if connect each MX to both firewalls, one of the firewalls will be passive, so the MX will have no chance to load balance the traffic accross the two firewalls.

Re: Url and application filtering on FTD

Aref Alsouqi — Wed, 25 Jun 2025 13:28:24 GMT

Can't see why not. Traffic routing will still work as normal, and the FTD will process that traffic just fine. The only thing is that the FTD in that case won't be doing any security inspection apart from the normal access lists checks.

Re: Url and application filtering on FTD

Vishal6 — Wed, 25 Jun 2025 17:23:22 GMT

Here 2 isp link will be terminated to both FTD, but primary FTD will use one isp at a time still it goes down. Can mx provide sdwan features here ?

Re: Url and application filtering on FTD

Aref Alsouqi — Thu, 26 Jun 2025 15:21:19 GMT

I don't think it will because from the MX perspective it wouldn't be aware of the two ISP links nor their status, the MX would only have a point-to-point link to the active FTD. Why not to move the MXs to the edge and place the FTDs behind them?

Re: Url and application filtering on FTD

Vishal6 — Mon, 30 Jun 2025 17:57:30 GMT

Hi Aref,

Can i configure Warmspare between my Mx as per attached architecture in my very first post.

Re: Url and application filtering on FTD

Aref Alsouqi — Tue, 01 Jul 2025 09:05:16 GMT

Hi Vishal. I can't see why not. However, you need to make sure that both MXs are able to receive the VRRP heartbeats sent by each other. In the diagram you shared there is no link between the two switches, if that will stay as is, then you need to connect each MX to both switches, or you need to connect the two switches together. Actually, best practice to provide full reseliency would be to connect each MX to each switch and connect both switches together or having them stacked.

Re: Url and application filtering on FTD

Vishal6 — Tue, 01 Jul 2025 12:31:57 GMT

Hi,

As per meraki documentation, for warmspare we need individual ip for each meraki mx uplink ip. In my case both meraki mx would have same ip as it directly connected to Ftd (working as active passive setup). PFB link

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

Regarding switch, yes it will have interconnected links.

Re: Url and application filtering on FTD

Aref Alsouqi — Tue, 01 Jul 2025 15:24:38 GMT

To which section in the document are you referring to? wouldn't each of the MXs in your case have its own IP for the connection with the active FTD?