07-24-2014 08:27 AM - edited 03-11-2019 09:32 PM
Hello,
Is it possible to block facebook (http and https) using ASA firewall (without CSC)? I know that http can be blocked by blocking traffic going out to FB addresses, but how about https?
Thank you.
07-24-2014 09:42 AM
I know this is not the answer that you're looking for but better to use a dedicated cheap web filtering solution. Although you can block http destinations by addresses in a firewall, it is not flexible enough. Whenever a new address for that destination comes into life, you must manually add it in your blocking list. And whenever an old address for that destination dies, you must manually remove it from your blocking list. The result is "Headache".
On the other hand, you only need a single check box beside the "Social Networking" category in the web filter.
My personal experience is to avoid firewalls when it comes to blocking "Web Sites" because they are headache in that matter.
Just my 2 cents.
07-24-2014 06:04 PM
It's a REALLY crappy/non-scalable solution but you could do something like this using DNS names and ACLs.
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
object network www.pandora.com
fqdn www.pandora.com
object network www.netflix.com
fqdn www.netflix.com
object-group network Blocked-Websites
network-object object www.pandora.com
network-object object www.netflix.com
#create DHCP reservations or set static IPs for users/servers that will not be filtered.
object-group network Unfiltered-Users
network-object host 192.168.10.5
network-object host 192.168.10.6
access-list inside extended permit ip object-group Unfiltered-Users any
access-list inside extended deny ip any object-group Blocked-Websites
access-list inside extended permit ip any any
access-group inside in interface inside
07-24-2014 06:55 PM
Well, be my guest to MANUALLY add a web site every time you want to block something in your blocked websites object group. Is this the scalability you want? .. What if there is an exception and couple of users from subnet X asks you to open Netflix and block it for the rest of subnets? Do you have the scalability in the ASA to do this? Can't you see the amount of configurations you even added to the ASA just because to block certain web sites? Can't you see that i respectfully mentioned that my answer may be not the answer that you're looking for?
Respect others' opinions or Get lost.
07-25-2014 04:07 AM
I wasn't referring to your post at any point in time. I was describing my own using half baked web webfiltering using DNS and ACLs as crappy and non-scalable.
07-25-2014 05:38 AM
OMG lol, i am so sorry kevin ;)
08-01-2014 04:21 AM
Haha, no worries
07-25-2014 03:09 AM
Hi,
You cannot do much to block in asa... whatever the fqdn al will not block effectively....... it can be accessible via the leakage... in one of my client location we have identified the FB subnet range for that location and we have blocked the entire range...
say we have blocked 173.252.110.0/24 and so on whatever we have observed as the FB Subnets....
in this case if they use extended URL's are also they wont get web page accessible at any cost....
Regards
Karthik
08-01-2014 10:56 PM
CX/Sourcefire is the answer to your troubles :) Or a web filtering engine as suggested above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide