cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

622
Views
0
Helpful
12
Replies
Beginner

User based URL Access

Hi,

 

How we can setup rules on FMC to allow users to access social media sites like facebook.com and block access to public drives like onedrive and drop box.

 

Is there any way FMC allow access on user group base through Active Directory (AD). How we can setup this part of user group information gather from AD and allow access to URLs.

 

12 REPLIES 12
Hall of Fame Guru

Re: User based URL Access

You can do this on FMC if you've integrated yoru AD with Realm integration and are gathering User-IP mapping with an identity source like Firepower User Agent or Cisco ISE. You would of course require a URL Filtering license.

Personally I find this easier to do (and with superior reporting and fine-grained control) using Cisco Umbrella. Of course that's a separate product with its own deployment and costs.

Beginner

Re: User based URL Access

Thanks,

 

why I need user agent as If I dont wana monitor user activity.

I have already download user group from AD and now I wana add url filter rule but cant see anything in available realms.

 

But when I check in realms its their in included but cant see it under rules for url filtering.

 

please confirm if i am missing any thing and why cant see realms in policy rules so that I can filter user

 

And Is user agent necessary for url filtering.

Hall of Fame Guru

Re: User based URL Access

Simply pulling groups and user names from AD realms isn't enough. You need the username to IP address mapping. That's what an identity source like User Agent gives you. ISE and captive portal are other identity sources.

Beginner

Re: User based URL Access

Thanks,

 

Can we install user agent on same jump server where we access FMC or it needs to be on dedicated windows machine.

 

 

 

 

Hall of Fame Guru

Re: User based URL Access

The User Agent can be on any Windows machine that has the appropriate access to the domain controller(s).

The User Agent Configuration Guide has more details here:

https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/24/config-guide/Firepower-User-Agent-Configuration-Guide-v2-4/ConfigAgent.html#65849

Beginner

Re: User based URL Access

Thanks,

 

Currently I am testing url filtering with FMC Realm and can see users in my access control policy.

 

 

Hall of Fame Guru

Re: User based URL Access

Yes you can have users and groups as elements in your ACPs with only Realm integration.

However until you have an identity source to associate them with IP addresses, the users and group elements will not have any effective use.

Beginner

Re: User based URL Access

Hi

 

Is there any other way for ISE to pass logs to FMC without pxGrid? Or is there way to perform authentication to AD via FMC?

 

Thanks

Hall of Fame Guru

Re: User based URL Access

Beginner

Re: User based URL Access

Hi,

You can do Active Authentication through Identity policy on  FMC, I am doing passive authentication and at some stage might needs active authentication.

 

This Issue I have , I have did URL filtering for my inside client based on domain user name and allowed only Facebook.com in access policy but still client is able to access all other web sites including Facebook.com.

Hall of Fame Guru

Re: User based URL Access

Can you share your Access Control Policy rules?

Beginner

Re: User based URL Access

Hi,

 

I configured active authentication on fmc after import certificate with basic http.

First time browser asks for domain username and password for http site after entering I got access but now its not asking any of the http sites and I can access all http and https sites from client , its strange.

 

So again I am on below issues, anyone have same issues and fixed them , please share

 

1 - URL Filtering are not working properly for http sites

2 - URL Filtering for https sites still need to be setup

 

My ACP allows only facebook.com but from client I can access all http and https sites.

 

In logs I can see my domain user access to all those web sites

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here