Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1605
Views
0
Helpful
8
Replies

block all https traffic, only allow *.microsoft.com and any url inside

Go to solution
ivan.yeung
Level 1
Level 1

‎10-25-2021 06:34 PM

hi all

is there any cisco products are able to do that?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ivan.yeung

‎10-26-2021 12:26 AM - edited ‎10-26-2021 12:27 AM

Microsoft publishes a listing of the IP addresses its service map to. You can use that listing to create an object which can then be used in an ACL.

See this example:

https://github.com/chrivand/Firepower_O365_Feed_Parser

Cisco has also developed the Cisco Secure Dynamic Attributes Connector (CSDAC) which allows you to automate the process using newer versions of Cisco Secure Firewall (7.0+).

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/integrations/dynamic-attributes-connector/1-0/cisco-secure-dynamic-attributes-connector/about-dynamic-attributes-collector.html

View solution in original post

0 Helpful
8 Replies 8

Go to solution
MrBeginner
Spotlight
Spotlight

‎10-25-2021 08:35 PM

Hi ,

You should explain more what is your use case. eg .do you need routers or firewalls and your traffic flow?

0 Helpful

Go to solution
ivan.yeung
Level 1
Level 1
In response to MrBeginner

‎10-25-2021 11:25 PM

hi MrBeginner,

 

let say an enterprise dont allow their employees access internet by default,  they access to specific web site only they requested.

let say employee A requested access O365, but how the network admin takes to get this job done in firewall level?

O365 contains different URL, so it wont work if using URL as a security object?

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ivan.yeung

‎10-26-2021 12:26 AM - edited ‎10-26-2021 12:27 AM

Microsoft publishes a listing of the IP addresses its service map to. You can use that listing to create an object which can then be used in an ACL.

See this example:

https://github.com/chrivand/Firepower_O365_Feed_Parser

Cisco has also developed the Cisco Secure Dynamic Attributes Connector (CSDAC) which allows you to automate the process using newer versions of Cisco Secure Firewall (7.0+).

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/integrations/dynamic-attributes-connector/1-0/cisco-secure-dynamic-attributes-connector/about-dynamic-attributes-collector.html

0 Helpful

Go to solution
ivan.yeung
Level 1
Level 1
In response to Marvin Rhoads

‎10-26-2021 02:35 AM

Hi Marvin Rhoads,
Thanks for your suggestions, is there any scalable ways apply to non-famous web site?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ivan.yeung

‎10-26-2021 05:44 AM

If it's just a web site and not a collection of services then you can simply use an FQDN in your ACL.

0 Helpful

Go to solution
ivan.yeung
Level 1
Level 1
In response to Marvin Rhoads

‎10-26-2021 05:50 PM

if that web site have tons of FQDN inside? so i can only input those tons of FQDN one by one on firewall ACL?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ivan.yeung

‎10-28-2021 06:33 PM

Correct. Doing whitelisting (vs. blacklisting) can be a very tedious process. That's one reason why very few organizations use that approach.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-25-2021 09:23 PM

Yes, at least 3 products can do that: Cisco Secure Firewall (formerly known as Firepower Threat Defense), Umbrella SIG and Cisco Secure Web Appliance (formerly known as WSA).

Which one is right for you (if any of them are) depends on a lot of things, as @MrBeginner alluded to.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card