https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945921#M925267 <P>Yes you can have users and groups as elements in your ACPs with only Realm integration.</P> <P>However until you have an identity source to associate them with IP addresses, the users and group elements will not have any effective use.</P> Wed, 23 Oct 2019 04:29:52 GMT Marvin Rhoads 2019-10-23T04:29:52Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3941273#M925255 <P>Hi,</P><P>&nbsp;</P><P>How we can setup rules on FMC to allow users to access social media sites like facebook.com and block access to public drives like onedrive and drop box.</P><P>&nbsp;</P><P>Is there any way FMC allow access on user group base through Active Directory (AD). How we can setup this part of user group information gather from AD and allow access to URLs.</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:35:45 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3941273#M925255 Fantas 2020-02-21T17:35:45Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3942435#M925256 <P>You can do this on FMC if you've integrated yoru AD with Realm integration and are gathering User-IP mapping with an identity source like Firepower User Agent or Cisco ISE. You would of course require a URL Filtering license.</P> <P>Personally I find this easier to do (and with superior reporting and fine-grained control) using Cisco Umbrella. Of course that's a separate product with its own deployment and costs.</P> Thu, 17 Oct 2019 10:52:38 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3942435#M925256 Marvin Rhoads 2019-10-17T10:52:38Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3943046#M925257 <P>Thanks,</P><P>&nbsp;</P><P>why I need user agent as If I dont wana monitor user activity.</P><P>I have already download user group from AD and now I wana add url filter rule but cant see anything in available realms.</P><P>&nbsp;</P><P>But when I check in realms its their in included but cant see it under rules for url filtering.</P><P>&nbsp;</P><P>please confirm if i am missing any thing and why cant see realms in policy rules so that I can filter user</P><P>&nbsp;</P><P>And Is user agent necessary for url filtering.</P> Fri, 18 Oct 2019 06:06:13 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3943046#M925257 Fantas 2019-10-18T06:06:13Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3943186#M925258 <P>Simply pulling groups and user names from AD realms isn't enough. You need the username to IP address mapping. That's what an identity source like User Agent gives you.&nbsp;ISE and captive portal are other identity sources.</P> Fri, 18 Oct 2019 10:42:26 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3943186#M925258 Marvin Rhoads 2019-10-18T10:42:26Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3943700#M925259 <P>Thanks,</P><P>&nbsp;</P><P>Can we install user agent on same jump server where we access FMC or it needs to be on dedicated windows machine.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 19 Oct 2019 05:47:20 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3943700#M925259 Fantas 2019-10-19T05:47:20Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3943939#M925261 <P>The User Agent can be on any Windows machine that has the appropriate access to the domain controller(s).</P> <P>The User Agent Configuration Guide has more details here:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/24/config-guide/Firepower-User-Agent-Configuration-Guide-v2-4/ConfigAgent.html#65849" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/24/config-guide/Firepower-User-Agent-Configuration-Guide-v2-4/ConfigAgent.html#65849</A></P> Sun, 20 Oct 2019 04:12:02 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3943939#M925261 Marvin Rhoads 2019-10-20T04:12:02Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945814#M925263 <P>Thanks,</P><P>&nbsp;</P><P>Currently I am testing url filtering with FMC Realm and can see users in my access control policy.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 22 Oct 2019 23:35:27 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945814#M925263 Fantas 2019-10-22T23:35:27Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945911#M925265 <P>Hi</P><P>&nbsp;</P><P>Is there any other way for ISE to pass logs to FMC without pxGrid? Or is there way to perform authentication to AD via FMC?</P><P>&nbsp;</P><P>Thanks</P> Wed, 23 Oct 2019 04:23:05 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945911#M925265 Sakun Sharma 2019-10-23T04:23:05Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945921#M925267 <P>Yes you can have users and groups as elements in your ACPs with only Realm integration.</P> <P>However until you have an identity source to associate them with IP addresses, the users and group elements will not have any effective use.</P> Wed, 23 Oct 2019 04:29:52 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945921#M925267 Marvin Rhoads 2019-10-23T04:29:52Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945992#M925268 <P>1. No.</P> <P>2. You could use the captive portal but I've not done so.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/introduction_to_network_discovery_and_identity.html#concept_6C9FF477EEB643FD80818C0FAA91DAB3" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/introduction_to_network_discovery_and_identity.html#concept_6C9FF477EEB643FD80818C0FAA91DAB3</A></P> Wed, 23 Oct 2019 05:43:01 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3945992#M925268 Marvin Rhoads 2019-10-23T05:43:01Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3946016#M925269 <P>Hi,</P><P>You can do Active Authentication through Identity policy on&nbsp; FMC, I am doing passive authentication and at some stage might needs active authentication.</P><P>&nbsp;</P><P>This Issue I have , I have did URL filtering for my inside client based on domain user name and allowed only Facebook.com in access policy but still client is able to access all other web sites including Facebook.com.</P> Wed, 23 Oct 2019 06:19:51 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3946016#M925269 Fantas 2019-10-23T06:19:51Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3946529#M925270 <P>Can you share your Access Control Policy rules?</P> Wed, 23 Oct 2019 17:45:35 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3946529#M925270 Marvin Rhoads 2019-10-23T17:45:35Z https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3946567#M925271 <P>Hi,</P><P>&nbsp;</P><P>I configured active authentication on fmc after import certificate with basic http.</P><P>First time browser asks for domain username and password for http site after entering I got access but now its not asking any of the http sites and I can access all http and https sites from client , its strange.</P><P>&nbsp;</P><P>So again I am on below issues, anyone have same issues and fixed them , please share</P><P>&nbsp;</P><P>1 - URL Filtering are not working properly for http sites</P><P>2 - URL Filtering for https sites still need to be setup</P><P>&nbsp;</P><P>My ACP allows only facebook.com but from client I can access all http and https sites.</P><P>&nbsp;</P><P>In logs I can see my domain user access to all those web sites</P> Wed, 23 Oct 2019 18:29:15 GMT https://community.cisco.com/t5/network-security/user-based-url-access/m-p/3946567#M925271 Fantas 2019-10-23T18:29:15Z