cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1459
Views
10
Helpful
10
Replies

ASA Firepower block domain or site

beconnect
Level 1
Level 1

Hi All

On a Asa ASA5516-FPWR-K9 , base license only is it possible to block via a rule, some domain or site URL?

I can block some IP's or networks, but not able to see how to block a domain or site

 

Can you help?

Firewall is running on versions:

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5516-X Threat Defense v6.2.3.6 (build 37)

Thanks for help

Regards

 

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

You need additionla License i guess ( never worked on base License, may be this is Limitation)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji

This document that you refer uses block via dns. this needs extra license correct?

 

Regards

@beconnect you will need the Threat license if you wish to use Security Intelligence functionality to block via DNS.

appologies I post wrong URL - yes you need additional License.

 

Just to clarify, are you looking to Block using IPS, or Firewall ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

HI

 

I found this one also, that point to the fact that @Rob Ingram says 

 

I think we need for sure the Threat license to block it.

 

As we only have base license we were doing it on the firewall.

 

We were able to block via IP address under creation of rules, but via URL or domain is not possible.

 

Thanks for helping

 

 

yes FQDN block required additional license, IP block can work, if the domain have same IP address all time.

 

Due to on demand industry, the IP changes dynamically that where the main concern come to picture to block using FQDN rather IP.

 

you can do some scripting to change the rule by capturing the IP address with DNS Lookup. (if you like to save some money, only less ruleset you have)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@beconnect if you don't use Security Intelligence which requires a license, you can just manually create URL objects and permit/deny traffic - this does not require a URL license. https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/licensing_the_firepower_system.pdf

 

Hi Rob

Can you help me on finding that.

 

I am not able to see where to create an URL object. I only see network or host object

 

Sorry maybe my bad

@beconnect you are running FTD 6.2.3.6 it's more than likely not supported in such an old version if you cannot see it.

You'll need to upgrade, the latest supported version for your hardware is 7.0 - this will support the feature you require.

https://software.cisco.com/download/home/286285782/type/286306337/release/7.0.0

 

Robin

I have a URL filtering license to install.

Can it be done on FTD6.2.3.6 or its needed to have 7.0.x?

If so can we move directly to 7.0.x or any upgrade path?

 

Regards

Review Cisco Networking for a $25 gift card