Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1795
Views
1
Helpful
3
Replies

Blocking Internet to AD Group

Go to solution
Richard.Moore
Level 1
Level 1

‎07-21-2017 01:01 PM - edited ‎03-12-2019 02:43 AM

I have a Cisco ASA with Firepower. We are looking to lock down some machines by blocking the internet to them. Problem is they need internet access for our antivirus setup. I want to create a rule/policy to block internet to specific machines defined by AD Group except for websites needed for antivirus. We already have the AD group define, lets call it NoInternet, and our firepower module is setup to sync with AD. I also have the URLs we need allowed for Antivirus. 

Is it best to just add a policy to 1. allow NoInternet devices to defined Antivirus websites then. 2. block NoInternet from all other URLs. 
Sounds simple in my mind but im not 100% firepower is the best way to do it. We could statically IP the machines and just blocked them on the ASA ACLs from anything other than antivirus, but the possibility of someone changing IP settings over time is pretty high. Also, we are using ASDM to manage Firepower

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

‎07-25-2017 12:55 PM

Hi Richard,

You can use allow or deny access to internet on the basis of AD groups but Firepower binds the IP with user initially the user authenticates.If the user changed his/her machines IP after authetication or changed the network (lets say from wired to wireless) without reauthetication then Firepower will not able to identify the user. Instead you can use whitelist the Antivirus URL and blacklist the all others.

Spooster IT Services Team

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-21-2017 08:11 PM

The policy you suggested would be the recommended way to go.

Having your user identities and AD groups updated dynamically and the ability to use them in your policies is one of the adavantages of having AD integrated with Firepower.

Go to solution
Spooster IT Services
Level 7
Level 7

‎07-25-2017 12:55 PM

Hi Richard,

You can use allow or deny access to internet on the basis of AD groups but Firepower binds the IP with user initially the user authenticates.If the user changed his/her machines IP after authetication or changed the network (lets say from wired to wireless) without reauthetication then Firepower will not able to identify the user. Instead you can use whitelist the Antivirus URL and blacklist the all others.

Spooster IT Services Team
0 Helpful

Go to solution
Richard.Moore
Level 1
Level 1
In response to Spooster IT Services

‎07-27-2017 09:53 AM

After reviewing in more detail. I do finch this to be correct and a possible risk. (device changing IPs and firepower not updated in timely fashion). We are considering and may choose a different, more static approach as we have had problems with the User Agent staying up and active.

Thank you for the input!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card