Hi Marvin

We are using Demo 5516-X that the reason we have old version of Firepower.

Kindly find the screenshots of the ACLs created and the URL blocking applied on the Device. As you can observe the Category wise blocking is not happening as per the policies configured

OK that looks pretty good.

Can you confirm that the source address is a private network (RFC 1918 space) and that the URL Filtering license is applied?

Also check the Monitoring tab to look for the connection record details when you access that site. Let's see if that gives any clues.

Hi Marvin

The Private Network is the source from where the request comes (Local Network)and URL filtering is applied to it.

I have also attached the Connection monitoring snapshot which shows the blocked action for the individual object Poker.com.

Websites are getting Blocked if I create individual object. Category based blocking is not working.

I checked this document:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html#anc15

...and see there were some bugs fixed in 5.4.1.1 and later which "Resolved an issue where, in some cases, you were not able to get URL category or URL reputation information. (CSCur38971, CSCus59492)".

I suspect if you upgrade your FirePOWER release you will find this issue is resolved.

You should also confirm that your FirePOWER module itself can resolve FQDNs and reach the Internet as that could also cause this issue. (Use the expert mode cli and do an nslookup and something like a curl to access an https site.)

admin@firepower:~$ sudo curl -vvk https://www.google.com
* Rebuilt URL to: https://www.google.com/
* Trying 216.58.217.132...
* Connected to www.google.com (216.58.217.132) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: Mar 22 16:27:10 2017 GMT
* expire date: Jun 14 16:16:00 2017 GMT
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.48.0
> Accept: */*
> 
< HTTP/1.1 200 OK

<output truncated>

Hi Marvin

I have tried the expert mode cli, I could not reach google.com.

attached the screen shot for reference

how can we upgrade the asa firepower module?

Since you cannot resolve public FQDNs, it appears your configured DNS is not resolving addresses for you. Fix that first and then re-try.

If you need to upgrade, it's easiest to just re-image and reconfigure if there's not any significant configuration on the unit. Instructions for that are here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/modules-sfr.html#pgfId-1485989

If it's a demo unit are you a partner or has your partner SE provided it to you? If the latter, they should be able to assist.