topic Re: URL Filtering FTD/FMC2100 in Network Security

URL Filtering FTD/FMC2100

Fantas — Fri, 21 Feb 2020 17:35:17 GMT

Hi,

we want to apply url filtering on our new FTD2100 firewalls through FMC. I have below questions and need clarity please before I proceed and deploy changes. My change is coming soon so wana prepare.

1 - URL filtering enabling steps on through FMC

2 - How FTD will detect If it receives http/https traffic for website access.

3 - Current clients can access internet through bluecoat proxy but now I wana to remove proxy setting from browser and wana allow access to specific urls through FTD for all those internal clients.

4 - Do the FTD need to have SSL certificate for https sites to access outside urls

5 - How proxy will resolve request for linkedin.com from internal client

6 - How this will work when client open browser and type www.linkedin.com, how this request will go to FTD as its through browser and how FTD will resolve www.linkedin.com so that connection can happen.

7 - For URL filtering do we needs to add FTD inside IP in proxy setting port 8080 on client browser setting

8 - Since I have already 200 plus rules on FMC for FTD2100, Do I need to create new Category for URL filtering so If any client need access to sites ten I can just add them in that category , just a clean work.

9 - Will be any issue for existing rules because URL category rules will have block action for some sites , so I dont wana create any issues for other running policies.

Re: URL Filtering FTD/FMC2100

Francesco Molino — Sun, 13 Oct 2019 04:38:48 GMT

Hi

You don't need to configure anything in your clients browsers.
You don't need to do ssl decryption for https url filtering, it's based on ssl handshake with the server certificate exchange.

If you want to deny some sites, you need to put the rule above other roles to avoid any overlap or override. It's difficult to tell you which position without knowing your configuration.

To answer all your questions, take a look on the Cisco documentation which is clear and straight forward:
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/url_filtering.html

Ssl decryption will be needed if you want to filter results on search engines.
Here a documentation explaining how:
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/access_control_using_content_restriction.html

Hope this is clear. Let me know if you need any clarifications after you looked at the docs.

Re: URL Filtering FTD/FMC2100

Fantas — Sun, 13 Oct 2019 05:13:27 GMT

Thanks,

So my ACLs on FMC like this as an example.

I have many categories like this sourced from different zones.

Can I create new category with new name like URL/Sites Access and add rules under this.

How traffic through rules will process if my new category at the end.

Client IP also already exists in existing rules.

Client IP : 1.1.1.1/32

Dest : www.linkedin.com

Action : Allow

Dest : www.facebook.com

Action : Block

Category Inside Rules (Existing)

1 - Source 1.1.1.0/25 DST : Any port : 443,22,80,53 Permit

2 - Source 2.2.2.0/25 DST : Any port : 443,22,80,53 Permit

3 - Source 1.1.1.1/32 DST : 9.9.9.9/32 port : 443,22,80,53 Permit

4 - Source 1.1.1.0/28 DST : Any port : 443 Permit

5 - Source 1.1.1.1/32 DST : 10.10.10.10/32 port : 443,22,80,53 Permit

Category Corp Rules (Existing)

1 - Source 11.11.11.0/25 DST : Any port : 443,22,80,53 Permit

2 - Source 22.22.22.0/25 DST : Any port : 443,22,80,53 Permit

3 - Source 11.11.11.11/32 DST : 9.9.9.9/32 port : 443,22,80,53 Permit

4 - Source 11.11.11.0/28 DST : Any port : 443 Permit

5 - Source 11.11.11.11/32 DST : 10.10.10.10/32 port : 443,22,80,53 Permit

Re: URL Filtering FTD/FMC2100

Marvin Rhoads — Sun, 13 Oct 2019 12:06:12 GMT

Access Control Policy (ACP) rules are processed from top to bottom as they appear in FMC.

The first match ends the rule processing (unless the action is Monitor in which case the subsequent rule(s) are processed).

Re: URL Filtering FTD/FMC2100

Francesco Molino — Mon, 14 Oct 2019 04:30:12 GMT

I would avoid mixing rules with url and ports. I would put url filtering rules before and then ports rules.
Add Marvin mentioned, rules are red and selected for traffic from top to down.

Re: URL Filtering FTD/FMC2100

Fantas — Mon, 14 Oct 2019 08:20:25 GMT

Thanks.

Can I create new category for URLs traffic only and keep this category above Inside rules category.

New URLs category will be sourced from same inside zone to outside and other zone same as existing Inside existing category sourced from inside to outside and other internal zones.

Re: URL Filtering FTD/FMC2100

Fantas — Mon, 14 Oct 2019 22:57:55 GMT

So my scenarios is like this

Client----->FTD-------->ASA with FirePower--------->Internet

based on above , Can I do URL filtering on ASA with firepower instead on FTD because client might to talk some other destinations so can be routed or allowed on FTD firewall but for URLs access like facebook.com will be routed to ASA with Firepower firewall So I can do URL filtering and NAT for Internet for internal clients on ASA.

Since we have SFR module on ASA so we should be able to URL filtering through FMC.

Re: URL Filtering FTD/FMC2100

Francesco Molino — Tue, 15 Oct 2019 01:15:14 GMT

You can do url filtering on your asa instead of ftd but the rules given previously still remain. (From top down and avoid mixing url filters with ports/applications)

Re: URL Filtering FTD/FMC2100

Fantas — Wed, 16 Oct 2019 00:57:18 GMT

Thanks,

I have decided to do NAT on ASA and URL filtering on FTD.

Lets see how it goes.

Re: URL Filtering FTD/FMC2100

Francesco Molino — Thu, 17 Oct 2019 15:48:13 GMT

This is a good choice!