cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3353
Views
0
Helpful
12
Replies

User based URL Access

Fantas
Level 1
Level 1

Hi,

 

How we can setup rules on FMC to allow users to access social media sites like facebook.com and block access to public drives like onedrive and drop box.

 

Is there any way FMC allow access on user group base through Active Directory (AD). How we can setup this part of user group information gather from AD and allow access to URLs.

 

12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

You can do this on FMC if you've integrated yoru AD with Realm integration and are gathering User-IP mapping with an identity source like Firepower User Agent or Cisco ISE. You would of course require a URL Filtering license.

Personally I find this easier to do (and with superior reporting and fine-grained control) using Cisco Umbrella. Of course that's a separate product with its own deployment and costs.

Thanks,

 

why I need user agent as If I dont wana monitor user activity.

I have already download user group from AD and now I wana add url filter rule but cant see anything in available realms.

 

But when I check in realms its their in included but cant see it under rules for url filtering.

 

please confirm if i am missing any thing and why cant see realms in policy rules so that I can filter user

 

And Is user agent necessary for url filtering.

Simply pulling groups and user names from AD realms isn't enough. You need the username to IP address mapping. That's what an identity source like User Agent gives you. ISE and captive portal are other identity sources.

Thanks,

 

Can we install user agent on same jump server where we access FMC or it needs to be on dedicated windows machine.

 

 

 

 

The User Agent can be on any Windows machine that has the appropriate access to the domain controller(s).

The User Agent Configuration Guide has more details here:

https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/24/config-guide/Firepower-User-Agent-Configuration-Guide-v2-4/ConfigAgent.html#65849

Thanks,

 

Currently I am testing url filtering with FMC Realm and can see users in my access control policy.

 

 

Yes you can have users and groups as elements in your ACPs with only Realm integration.

However until you have an identity source to associate them with IP addresses, the users and group elements will not have any effective use.

Hi

 

Is there any other way for ISE to pass logs to FMC without pxGrid? Or is there way to perform authentication to AD via FMC?

 

Thanks

Hi,

You can do Active Authentication through Identity policy on  FMC, I am doing passive authentication and at some stage might needs active authentication.

 

This Issue I have , I have did URL filtering for my inside client based on domain user name and allowed only Facebook.com in access policy but still client is able to access all other web sites including Facebook.com.

Can you share your Access Control Policy rules?

Hi,

 

I configured active authentication on fmc after import certificate with basic http.

First time browser asks for domain username and password for http site after entering I got access but now its not asking any of the http sites and I can access all http and https sites from client , its strange.

 

So again I am on below issues, anyone have same issues and fixed them , please share

 

1 - URL Filtering are not working properly for http sites

2 - URL Filtering for https sites still need to be setup

 

My ACP allows only facebook.com but from client I can access all http and https sites.

 

In logs I can see my domain user access to all those web sites

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: