Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
5
Helpful
2
Replies

URL license on ASA 5515-X source fire module

Fazal E Rasool Khan
Level 1
Level 1

‎06-15-2015 03:31 AM - edited ‎03-11-2019 11:06 PM

Hello Everyone, 

I am about to order a URL license for source fire module on ASA 5515-X. My basic requirement is to do https filtering for websites like

facebook.com, youtube.com, twitter.com, etc. All this website works on https not http. 

Will i need to purchase this URL license or this type of basic https filtering will be available in this module. 
 

When i purchase the firewall source fire module came by default. I will also order fire sight management center but i wonder i will need to install it on VMware ESXI or its installation is possible also on vmware workstation.

This post is also link to my earlier post to get the clear idea. https://supportforums.cisco.com/discussion/12529741/cisco-asa-5515-x-how-access-gui-firepower-services-software-module

 

Please advise on above. 
Many Thanks. 
 

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-15-2015 09:08 AM

A URL filtering license is required to implement (and enforce) a URL policy. Without it, the FMC will tell you there is not a license on the system or allocated to the target device to support the requested feature.

For https traffic, we can filter by domain name but not dig deeper into the URI or otherwise do deep packet inspection to inspect things like "microapplications" or "microsites". (i.e Facebook status check allowed, Facebook games not allowed).

SSL decryption is currently available only on the dedicated appliances and is coming for the ASA modules later this year. That said, you will incur a significant performance hit to decrypt all the SSL going through your device (should you choose to do so) and will need a PKI in your enterprise so that the module can act as an SSL proxy.

Fazal E Rasool Khan
Level 1
Level 1
In response to Marvin Rhoads

‎06-16-2015 05:35 AM

Thanks Marvin, 

In summary the below licences will be required.

1. Base license for Fire power services module

2. URL filtering License

3. Fire sight management software license. 

4. VMware ESXi (to install FSM)

I belive there is no restriction or limitation to block websites like facebook.com, youtube.com, twitter.com which runs on https instead of http. 

In Firepower services demo (http://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/firepower.html) they demonstrated deep packet inspection clearly like instead of facebook we can block updating status, or fb games etc but not much information about URL filtering. 

website filtering (https) is the main concern for client and i hope SFR is enough to do this with URL license.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card