Hi Balaji

This document that you refer uses block via dns. this needs extra license correct?

Regards

@beconnect you will need the Threat license if you wish to use Security Intelligence functionality to block via DNS.

appologies I post wrong URL - yes you need additional License.

Just to clarify, are you looking to Block using IPS, or Firewall ?

HI

I found this one also, that point to the fact that @Rob Ingram says 

I think we need for sure the Threat license to block it.

As we only have base license we were doing it on the firewall.

We were able to block via IP address under creation of rules, but via URL or domain is not possible.

Thanks for helping

yes FQDN block required additional license, IP block can work, if the domain have same IP address all time.

Due to on demand industry, the IP changes dynamically that where the main concern come to picture to block using FQDN rather IP.

you can do some scripting to change the rule by capturing the IP address with DNS Lookup. (if you like to save some money, only less ruleset you have)

@beconnect if you don't use Security Intelligence which requires a license, you can just manually create URL objects and permit/deny traffic - this does not require a URL license. https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/licensing_the_firepower_system.pdf

Hi Rob

Can you help me on finding that.

I am not able to see where to create an URL object. I only see network or host object

Sorry maybe my bad

@beconnect you are running FTD 6.2.3.6 it's more than likely not supported in such an old version if you cannot see it.

You'll need to upgrade, the latest supported version for your hardware is 7.0 - this will support the feature you require.

https://software.cisco.com/download/home/286285782/type/286306337/release/7.0.0

Robin

I have a URL filtering license to install.

Can it be done on FTD6.2.3.6 or its needed to have 7.0.x?

If so can we move directly to 7.0.x or any upgrade path?

Regards