https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712446#M14441 <P>You can build one as example shown below document.</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/asa-url-filtering-without-a-websense-or-n2h2-smartfilter-server/ta-p/3116352" target="_blank">https://community.cisco.com/t5/security-documents/asa-url-filtering-without-a-websense-or-n2h2-smartfilter-server/ta-p/3116352</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/115998-asa-http-product-configuration-example-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/115998-asa-http-product-configuration-example-00.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 24 Sep 2018 20:40:20 GMT balaji.bandi 2018-09-24T20:40:20Z https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712110#M14436 <P>Hi</P> <P>We want to deny all outbound web access except to a group of about 10 whitelist URL domains on an ASA 5525-X with FirePOWER services. Is it possible to do this on the ASA without an add-on FirePower license? Will this have a significant performance impact?</P> Fri, 21 Feb 2020 16:16:29 GMT https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712110#M14436 PETER NEGUS 2020-02-21T16:16:29Z https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712148#M14438 <P>It is possible to create an object within the ASA using a FQDN. To do this the ASA has to be able to resolve names.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>dns domain-lookup inside<BR />dns server-group DefaultDNS<BR />&nbsp;name-server x.x.x.x<BR />&nbsp;domain-name company.com</P> <P>&nbsp;</P> <P>Example of a FQDN object</P> <P>&nbsp;</P> <P>object network site.example.com<BR />&nbsp;fqdn site.example.com</P> <P>&nbsp;</P> <P>You then put this into an ACL. i.e. access-list inside-in extended permit tcp object inside-networks object site.example.com eq www </P> <P>&nbsp;</P> <P>Note issues will occur if a site utilises global load balancers, where your inside clients resolve site.example.com as xyz but the ASA gets the IP zyx. Also, you can't do wildcards i.e. *.microsoft.com</P> <P>&nbsp;</P> <P>Ultimately, if it's really basic you can do it. Otherwise you need something designed for a web gateway.</P> <P>&nbsp;</P> <P>Joel</P> Mon, 24 Sep 2018 14:47:55 GMT https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712148#M14438 Joel 2018-09-24T14:47:55Z https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712158#M14440 Thank you very much for your suggestion. Unfortunately it doesn't work in our case because we have multiple target hosts within a domain, which need to be expressed as a wildcard - for example *.anynet.network.com . As the FQDN is based on a DNS lookup, wildcards don't work.<BR /><BR /><BR /><BR />Sorry for not making my initial query clearer<BR /><BR /><BR /><BR />Peter<BR /> Mon, 24 Sep 2018 14:56:34 GMT https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712158#M14440 PETER NEGUS 2018-09-24T14:56:34Z https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712446#M14441 <P>You can build one as example shown below document.</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/asa-url-filtering-without-a-websense-or-n2h2-smartfilter-server/ta-p/3116352" target="_blank">https://community.cisco.com/t5/security-documents/asa-url-filtering-without-a-websense-or-n2h2-smartfilter-server/ta-p/3116352</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/115998-asa-http-product-configuration-example-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/115998-asa-http-product-configuration-example-00.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 24 Sep 2018 20:40:20 GMT https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712446#M14441 balaji.bandi 2018-09-24T20:40:20Z https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712745#M14443 Hi Balaji<BR /><BR /><BR /><BR />Thank you very much for your suggestions. Do you know if this will require a FirePOWER license, and if so, which one?<BR /><BR /><BR /> Tue, 25 Sep 2018 11:44:41 GMT https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712745#M14443 PETER NEGUS 2018-09-25T11:44:41Z https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712831#M14446 <P>The MPF/regex-based approach doesn't require the Firepower service module at all. No special ASA license is required - just the base software.</P> <P>&nbsp;</P> <P>I almost never see it in use in live networks though as it never caught on since it's so burdensome to configure.</P> <P>&nbsp;</P> <P>A much more sustainable solution is to use Firepower with URL Filtering or, better yet, Cisco Umbrella.</P> Tue, 25 Sep 2018 13:33:24 GMT https://community.cisco.com/t5/network-security/url-whiltelisting-on-asa-without-firepower-license/m-p/3712831#M14446 Marvin Rhoads 2018-09-25T13:33:24Z