topic I wasn't referring to your in Network Security

Blocking FB using ASA

network_user — Tue, 12 Mar 2019 04:32:01 GMT

Hello,

Is it possible to block facebook (http and https) using ASA firewall (without CSC)? I know that http can be blocked by blocking traffic going out to FB addresses, but how about https?

Thank you.

I know this is not the answer

turbo_engine26 — Thu, 24 Jul 2014 16:42:39 GMT

I know this is not the answer that you're looking for but better to use a dedicated cheap web filtering solution. Although you can block http destinations by addresses in a firewall, it is not flexible enough. Whenever a new address for that destination comes into life, you must manually add it in your blocking list. And whenever an old address for that destination dies, you must manually remove it from your blocking list. The result is "Headache".

On the other hand, you only need a single check box beside the "Social Networking" category in the web filter.

My personal experience is to avoid firewalls when it comes to blocking "Web Sites" because they are headache in that matter.

Just my 2 cents.

It's a REALLY crappy/non

kevin_giusti — Fri, 25 Jul 2014 01:04:13 GMT

It's a REALLY crappy/non-scalable solution but you could do something like this using DNS names and ACLs.

dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2

object network www.pandora.com
fqdn www.pandora.com
object network www.netflix.com
fqdn www.netflix.com

object-group network Blocked-Websites
network-object object www.pandora.com
network-object object www.netflix.com

#create DHCP reservations or set static IPs for users/servers that will not be filtered.
object-group network Unfiltered-Users
network-object host 192.168.10.5
network-object host 192.168.10.6

access-list inside extended permit ip object-group Unfiltered-Users any
access-list inside extended deny ip any object-group Blocked-Websites
access-list inside extended permit ip any any

access-group inside in interface inside

Well, be my guest to MANUALLY

turbo_engine26 — Fri, 25 Jul 2014 01:55:04 GMT

Well, be my guest to MANUALLY add a web site every time you want to block something in your blocked websites object group. Is this the scalability you want? .. What if there is an exception and couple of users from subnet X asks you to open Netflix and block it for the rest of subnets? Do you have the scalability in the ASA to do this? Can't you see the amount of configurations you even added to the ASA just because to block certain web sites? Can't you see that i respectfully mentioned that my answer may be not the answer that you're looking for?

Respect others' opinions or Get lost.

Hi, You cannot do much to

nkarthikeyan — Fri, 25 Jul 2014 10:09:08 GMT

Hi,

You cannot do much to block in asa... whatever the fqdn al will not block effectively....... it can be accessible via the leakage... in one of my client location we have identified the FB subnet range for that location and we have blocked the entire range...

say we have blocked 173.252.110.0/24 and so on whatever we have observed as the FB Subnets....

in this case if they use extended URL's are also they wont get web page accessible at any cost....

Regards

Karthik

I wasn't referring to your

kevin_giusti — Fri, 25 Jul 2014 11:07:01 GMT

I wasn't referring to your post at any point in time. I was describing my own using half baked web webfiltering using DNS and ACLs as crappy and non-scalable.

OMG lol, i am so sorry kevin

turbo_engine26 — Fri, 25 Jul 2014 12:38:25 GMT

OMG lol, i am so sorry kevin 😉

Haha, no worries

kevin_giusti — Fri, 01 Aug 2014 11:21:43 GMT

Haha, no worries

CX/Sourcefire is the answer

nspasov — Sat, 02 Aug 2014 05:56:36 GMT

CX/Sourcefire is the answer to your troubles 🙂 Or a web filtering engine as suggested above.