topic Hi Marvin in Network Security

ASA with Firepower services

mdsayeed525 — Tue, 12 Mar 2019 09:10:41 GMT

Can anyone help me on below query

The URL filtering option in Cisco ASA5516-X is not observed to be working and blocking websites based on the

category, like if I select the category of Games to block all the Websites related to

Games and apply it to the Device, the filtering is not blocking websites related to the Games.

I am using ASDM for Configuring Firepower services.

Current ASA version is 9.6

ASDM version is 7.6

ASA firepower verison 5.4.1

Can you share a screen shot

Marvin Rhoads — Wed, 05 Apr 2017 04:27:50 GMT

Can you share a screen shot of your access control policy including details of the rules that are not working?

Also you are running a very old version of FirePOWER - it's actually the first release for that platform. The current release is 6.2.0.1

Hi Marvin

mdsayeed525 — Wed, 05 Apr 2017 05:56:32 GMT

Hi Marvin

We are using Demo 5516-X that the reason we have old version of Firepower.

Kindly find the screenshots of the ACLs created and the URL blocking applied on the Device. As you can observe the Category wise blocking is not happening as per the policies configured

OK that looks pretty good.

Marvin Rhoads — Wed, 05 Apr 2017 06:12:31 GMT

OK that looks pretty good.

Can you confirm that the source address is a private network (RFC 1918 space) and that the URL Filtering license is applied?

Also check the Monitoring tab to look for the connection record details when you access that site. Let's see if that gives any clues.

Hi Marvin

mdsayeed525 — Wed, 05 Apr 2017 07:58:27 GMT

Hi Marvin

The Private Network is the source from where the request comes (Local Network)and URL filtering is applied to it.

I have also attached the Connection monitoring snapshot which shows the blocked action for the individual object Poker.com.

Websites are getting Blocked if I create individual object. Category based blocking is not working.

I checked this document:

Marvin Rhoads — Wed, 05 Apr 2017 08:21:46 GMT

I checked this document:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc15

...and see there were some bugs fixed in 5.4.1.1 and later which "Resolved an issue where, in some cases, you were not able to get URL category or URL reputation information. (CSCur38971, CSCus59492)".

I suspect if you upgrade your FirePOWER release you will find this issue is resolved.

You should also confirm that your FirePOWER module itself can resolve FQDNs and reach the Internet as that could also cause this issue. (Use the expert mode cli and do an nslookup and something like a curl to access an https site.)

admin@firepower:~$ sudo curl -vvk https://www.google.com
* Rebuilt URL to: https://www.google.com/
* Trying 216.58.217.132...
* Connected to www.google.com (216.58.217.132) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: Mar 22 16:27:10 2017 GMT
* expire date: Jun 14 16:16:00 2017 GMT
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.48.0
> Accept: */*
> 
< HTTP/1.1 200 OK

<output truncated>

Hi Marvin

mdsayeed525 — Wed, 05 Apr 2017 13:35:00 GMT

Hi Marvin

I have tried the expert mode cli, I could not reach google.com.

attached the screen shot for reference

how can we upgrade the asa firepower module?

Since you cannot resolve

Marvin Rhoads — Wed, 05 Apr 2017 14:06:28 GMT

Since you cannot resolve public FQDNs, it appears your configured DNS is not resolving addresses for you. Fix that first and then re-try.

If you need to upgrade, it's easiest to just re-image and reconfigure if there's not any significant configuration on the unit. Instructions for that are here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/modules-sfr.html#pgfId-1485989

If it's a demo unit are you a partner or has your partner SE provided it to you? If the latter, they should be able to assist.