Dear yogdhanu,

Thanks for the reply

If the traffic is allowed by asa access-list but it is blocked by firepower rules it will drop the packet ??? please correct me if I am wrong

By the attached snapshot of rule I want to achieve high risk url filter, bittorrent should be block and the http, https, ftp, dns should be only allowed does the attached snapshot configuration meet the  rule

Regards

Jack

Hi Jack,

Yes you are right , Firepower will drop the packet if its blocked by firepower rule.

You have created all block rule and allowed only http etc. , There are apps which use HTTP for torrent. I suggest to create another block rule on top of allow rule matching the app detector for torrent.

Dear yogdhanu,

are you sure the rule which I have created are correct, What I think the rule 1 will match all traffic and it will block all users,???

OR the rule says

if a user A browse the internet url which is in high risk he will be blocked by RULE 1 and if the URL is not in high risk he will fall in RULE 3 Please correct me if I am wrong.

Thanks

If any user from your inside network access a url that matches the url category you have define in rule 1 it will be blocked. 

If it doesn't it will be allowed as per your rule 3.

Dear Yogdhanu,

Many times I have issues that I don't see the traffic in the connection events neither in the allow or block action and its simply show me  on user desk the webpage cannot be displayed.

is there any CLI traces to be seen or captured  so that in which rule the traffic is falling we can come to know.

thanks

Hi

There are 2 ways you can do that.

In the sensor CLI

>system support firewall-engine-debug

It will give you option to choose the inline sets where traffic needs to be captured.

Select that and then define the source IP or destination as filter (script will ask you that) leave all blank

This would show you the traffic as it matches the rules. You can probably use putty and save its logs so that you can analyze the traffic and see the traffic trying to match itself with all the rules and which rule it does match.

For regular pcap captures , use this article.

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117778-technote-sourcefire-00.html

Rate if helps.

Yogesh

Dear Yogdhanu,

I m trying to access one of the FTP site and that is falling in the default action rules, just I want to confirm you that the url categories which are available in the system are only for http and https traffic or for other protocol as well such as ftp etc etc.

thanks

Dear yogdhanu

So for the ftp protocol I shld create a separate rule on top to match the rule and also I will attached the file policy so if incase they are downloading any file If it contains malware they will be block.

thanks

Correct , or you can just have 1 last rule where all the traffic will match and have File policy and IPS policy in there.