topic Hi Marvin! :DThat is exactly in Network Security

URL filtering

Rolando Valenzuela — Tue, 12 Mar 2019 06:34:11 GMT

Hello community!

I was reading the following article: ASA URL filtering without a Websense and I have additional questions regarding that process.

Is my understanding that the website denied is denied globally thanks to the command service-policy global_policy global, which means that if I have 10 networks on my firewall, the traffic to that website is going to be denied for all of them, right?

I know that the example shows how to apply the rule to an specific host and we can have some flexibility due the ACL we have to set, but still this is a global setting right?

Is there a way I can setup this rule to only one interface? What about scalability can I set multiple rules for different type of traffic?

Thanks!

I've seen this feature used

Marvin Rhoads — Wed, 09 Sep 2015 02:14:44 GMT

I've seen this feature used maybe once in production and I've worked on hundreds of ASAs. It's not very robust and most people only ever did it as an experiment to see if they could.

Anybody serious about URL filtering will use either a proxy or something like the FirePOWER service module.

That said, you can apply the service policy either globally or on a specific interface. As shown in the article example:

service-policy http-traffic interface inside

...would do it for the interface with nameif "inside".

Hi Marvin! :DThat is exactly

Rolando Valenzuela — Wed, 09 Sep 2015 14:44:01 GMT

Hi Marvin! 😄

That is exactly what I was looking for: "I've seen this feature used maybe once in production [...] It's not very robust..."

I'm playing with a ASA v9.x and reading about the FQDN feature implemented I came across with the article I previously quoted "ASA URL filtering without a Websense" and I wanted to know how much you can do with it.

Thank you very much for all the help 😄

Regards!