Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1111
Views
5
Helpful
15
Replies

Blocking TikTok app on Firepower 2140

net_ad
Level 1
Level 1

‎08-23-2024 05:58 AM

The 2140s are managed by FMC.

In my ACPs, I have a policy for blocking. In this policy, the main components it is blocking are URLs. We have all the default groups that should be blocked. And we also have a custom list of URLs that we block to. This list is made in Objects> security intelligence> URL lists and feeds.

https://imgur.com/a/admkjnI

The list is just a .txt file that is a master list of 1500+ URLs that we block and I just upload it into FMC. One of the urls on the list is www.tiktok.com, and it works great at blocking access to tiktok from a web browser.

The issue is that the tiktok app is still accessible. Weather it be a windows app or a ios/android phone app, you can still access it that way.

You can see in the screenshot of the access control policy that I did add tiktok and tiktok music app to the block list. That did not block the tiktok app though. I then went into objects>application filters and created a custom filter. I named it Tiktok and in there, also added tiktok and tiktok music app. I then applied that filter to the ACP. Still no luck. Tiktok is still accessible on phones and windows apps.

So I started to watch the logs as I was accessing tiktok from my phone to see what is coming up. I can see the tiktok web application being used, and noticed that everytime it is accessed, it is a different url everytime....

https://imgur.com/a/FHswKip

So my question is, what is the right way to make sure the tiktok app is blocked from our network? Am I doing the app blocking correctly? Is there some type of wildcard url filter I need to put in to block all the random tiktok urls coming up from the app being used? As I said, i am blocking "www.tiktok.com" from web browsers via url filtering, but just cant figure out how to block the actual app.

Thanks!

15 Replies 15

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-23-2024 06:10 AM

Make separate ACP entries for URLs and Apps. Otherwise the rule logic looks to logically combine (Boolean AND) the separate parameters.

0 Helpful

net_ad
Level 1
Level 1
In response to Marvin Rhoads

‎08-23-2024 08:36 AM - edited ‎08-23-2024 08:47 AM

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with. 

 

Here is also a link that might make it easier to look at the 3 pictures....

 

https://imgur.com/a/mkIsJLJ

Preview file
36 KB
Preview file
82 KB
Preview file
131 KB
0 Helpful

Marius Gunnerud
VIP
VIP

‎08-23-2024 08:02 AM

Try making an ACP rule and only include the TikTok app and the source subnets you want to block for.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

net_ad
Level 1
Level 1
In response to Marius Gunnerud

‎08-23-2024 08:37 AM - edited ‎08-23-2024 08:47 AM

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with. 

 

Here is also a link that might make it easier to look at the 3 pictures....

 

https://imgur.com/a/mkIsJLJ

Preview file
36 KB
Preview file
131 KB
Preview file
82 KB
0 Helpful

davparker
Level 1
Level 1

‎08-23-2024 08:16 AM

Have you tried a rule where you block the detected application? You could try inserting that about the rule that blocks the URL list.

0 Helpful

net_ad
Level 1
Level 1
In response to davparker

‎08-23-2024 08:37 AM - edited ‎08-23-2024 08:46 AM

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with. 

 

Here is also a link that might make it easier to look at the 3 pictures..

 

https://imgur.com/a/mkIsJLJ

Preview file
82 KB
Preview file
36 KB
Preview file
131 KB

MHM Cisco World
VIP
VIP
In response to net_ad

‎08-23-2024 09:35 AM

I think you need ssl decrypt' 

The FTD can not detect app-id until it decrypt ssl session and see inside packet.

You need to check if traffic is http or https

Sorry you need license I think to run this feature 

MHM

0 Helpful

net_ad
Level 1
Level 1
In response to MHM Cisco World

‎08-23-2024 09:51 AM

So how can it block https://www.tiktok.com if it too is using https?

0 Helpful

MHM Cisco World
VIP
VIP
In response to net_ad

‎08-23-2024 09:53 AM

Ssl policy you need 

MHM

0 Helpful

net_ad
Level 1
Level 1
In response to MHM Cisco World

‎08-23-2024 09:55 AM

hmm ok. I might need to open a tac case

MHM Cisco World
VIP
VIP
In response to net_ad

‎08-23-2024 10:01 AM

Sure Open TAC abd check them opinion

aap detect is happened before and after ssl decrypt' so this my view to issue

Goodluck and update us about solution 

MHM

0 Helpful

net_ad
Level 1
Level 1
In response to MHM Cisco World

‎08-23-2024 10:03 AM

Yeah not saying I dont trust your opinion, but creating an SSL decryption policy is above my level. Going to open a TAC case to assist with that. Thanks!

MHM Cisco World
VIP
VIP
In response to net_ad

‎08-23-2024 10:07 AM

Friend 

You are so welcome anytime 

MHM

0 Helpful

davparker
Level 1
Level 1

‎08-23-2024 11:22 AM

I found the Cisco Secure Firepower documentation on setting up decryption to be lacking. If you are in an Active Directory environment, this video may be useful.

https://www.youtube.com/watch?v=tAIdcZ3EBiw

Once you have the Sub-CA enabled and are able to decrypt traffic, this doc proved quite useful for me in crafting the decryption policy.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3063.pdf

 

Cisco Firepower: FMC SSL Decrypt with MS Signed CA
Cisco Firepower: FMC SSL Decrypt with MS Signed CA
youtube.com/watch?v=tAIdcZ3EBiw
In this video we will setup Firepower TLS decryption capabilities to ensure we are inspecting all traffic and not missing threats embedded in TLS. We will leverage a MS CA to sign the CSR from Firepower to enable Firepower to issuing Certificates. This also helps with browser errors when using ...
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card