I am about to order a URL license for source fire module on ASA 5515-X. My basic requirement is to do https filtering for websites like
facebook.com, youtube.com, twitter.com, etc. All this website works on https not http.
Will i need to purchase this URL license or this type of basic https filtering will be available in this module.
When i purchase the firewall source fire module came by default. I will also order fire sight management center but i wonder i will need to install it on VMware ESXI or its installation is possible also on vmware workstation.
This post is also link to my earlier post to get the clear idea. https://supportforums.cisco.com/discussion/12529741/cisco-asa-5515-x-how-access-gui-firepower-services-software-module
Please advise on above.
A URL filtering license is required to implement (and enforce) a URL policy. Without it, the FMC will tell you there is not a license on the system or allocated to the target device to support the requested feature.
For https traffic, we can filter by domain name but not dig deeper into the URI or otherwise do deep packet inspection to inspect things like "microapplications" or "microsites". (i.e Facebook status check allowed, Facebook games not allowed).
SSL decryption is currently available only on the dedicated appliances and is coming for the ASA modules later this year. That said, you will incur a significant performance hit to decrypt all the SSL going through your device (should you choose to do so) and will need a PKI in your enterprise so that the module can act as an SSL proxy.
In summary the below licences will be required.
1. Base license for Fire power services module
2. URL filtering License
3. Fire sight management software license.
4. VMware ESXi (to install FSM)
I belive there is no restriction or limitation to block websites like facebook.com, youtube.com, twitter.com which runs on https instead of http.
In Firepower services demo (http://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/firepower.html) they demonstrated deep packet inspection clearly like instead of facebook we can block updating status, or fb games etc but not much information about URL filtering.
website filtering (https) is the main concern for client and i hope SFR is enough to do this with URL license.