How we can setup rules on FMC to allow users to access social media sites like facebook.com and block access to public drives like onedrive and drop box.
Is there any way FMC allow access on user group base through Active Directory (AD). How we can setup this part of user group information gather from AD and allow access to URLs.
You can do this on FMC if you've integrated yoru AD with Realm integration and are gathering User-IP mapping with an identity source like Firepower User Agent or Cisco ISE. You would of course require a URL Filtering license.
Personally I find this easier to do (and with superior reporting and fine-grained control) using Cisco Umbrella. Of course that's a separate product with its own deployment and costs.
why I need user agent as If I dont wana monitor user activity.
I have already download user group from AD and now I wana add url filter rule but cant see anything in available realms.
But when I check in realms its their in included but cant see it under rules for url filtering.
please confirm if i am missing any thing and why cant see realms in policy rules so that I can filter user
And Is user agent necessary for url filtering.
Simply pulling groups and user names from AD realms isn't enough. You need the username to IP address mapping. That's what an identity source like User Agent gives you. ISE and captive portal are other identity sources.
The User Agent can be on any Windows machine that has the appropriate access to the domain controller(s).
The User Agent Configuration Guide has more details here:
Yes you can have users and groups as elements in your ACPs with only Realm integration.
However until you have an identity source to associate them with IP addresses, the users and group elements will not have any effective use.
2. You could use the captive portal but I've not done so.
You can do Active Authentication through Identity policy on FMC, I am doing passive authentication and at some stage might needs active authentication.
This Issue I have , I have did URL filtering for my inside client based on domain user name and allowed only Facebook.com in access policy but still client is able to access all other web sites including Facebook.com.
I configured active authentication on fmc after import certificate with basic http.
First time browser asks for domain username and password for http site after entering I got access but now its not asking any of the http sites and I can access all http and https sites from client , its strange.
So again I am on below issues, anyone have same issues and fixed them , please share
1 - URL Filtering are not working properly for http sites
2 - URL Filtering for https sites still need to be setup
My ACP allows only facebook.com but from client I can access all http and https sites.
In logs I can see my domain user access to all those web sites