topic Thanks. I just tried this in Network Security

Firepower URLs without license

mmacdonald70 — Tue, 12 Mar 2019 07:05:35 GMT

I'm not sure if this is answered somewhere in the docs that I missed. If it it, I'm sorry.

I have two questions in relation to my ASA5506-x appliance and firepower:

1. I don't currently have the URL license since I'm not interested in the cloud based service. What I would like however is the ability to filter out URLs based on regex or keywords in the URL. Is this possible?

2. On a similar topic, is there a way to see what URLs were accessed?

3. I keep seeing messages in the "Threats" area like "INDICATOR-COMPROMISE Suspicious .pw dns query" but I can't seem to figure out a way to get more information (like the source IP address)

Thanks

If you don't want to licence

Philip D'Ath — Sun, 03 Jan 2016 02:31:07 GMT

If you don't want to licence the Firepower module (ps, there is a promo on for three years licences at the moment ...), then could consider doing this purely on the ASA.

You can filter either HTTP (not https) urls, or do DNS filtering, which stops all protocols. I personally prefer the DNS method. Here is a brief example to block logmein.com.

regex domain_logmein.com “\.logmein\.com”
!
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_logmein.com
!
policy-map type inspect dns PM-DNS-inspect
parameters message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
!
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
!
service-policy global_policy global

I never tested it without a

Karsten Iwen — Sun, 03 Jan 2016 11:56:59 GMT

I never tested it without a license, but the documentation states that it should work without:

To apply an access control policy that...	License
performs access control based on zone, network, or port performs URL filtering using literal URLs and URL objects	Any

To apply an access control policy that...

License

performs access control based on zone, network, or port

performs URL filtering using literal URLs and URL objects

Any

I think that means you need

Philip D'Ath — Sun, 03 Jan 2016 20:51:43 GMT

I think that means you need "any" licence such as "Control" as opposed to "No" licence. I'm 99% confident it wont allow you to configure anything if you have no licence at all.

Thanks. I just tried this

mmacdonald70 — Mon, 04 Jan 2016 03:05:38 GMT

Thanks. I just tried this out and it appears to work. I manually added several URLs in a rule and it successfully blocked them.

Now if I can just figure out the other two questions.

Re: Firepower URLs without license

mohd_123shoaib — Mon, 11 Nov 2019 14:39:20 GMT

Hi,

Regarding your second and third query, you can use connection events on the FMC to check connection attempts against the access rule you have defined. But Remmeber you should have logging enabled against the required access rule. Also for the 3rd question you can use intrusion events.

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60_chapter_01101111.html