cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1109
Views
5
Helpful
15
Replies

Blocking TikTok app on Firepower 2140

net_ad
Level 1
Level 1

The 2140s are managed by FMC.

In my ACPs, I have a policy for blocking. In this policy, the main components it is blocking are URLs. We have all the default groups that should be blocked. And we also have a custom list of URLs that we block to. This list is made in Objects> security intelligence> URL lists and feeds.

https://imgur.com/a/admkjnI

The list is just a .txt file that is a master list of 1500+ URLs that we block and I just upload it into FMC. One of the urls on the list is www.tiktok.com, and it works great at blocking access to tiktok from a web browser.

The issue is that the tiktok app is still accessible. Weather it be a windows app or a ios/android phone app, you can still access it that way.

You can see in the screenshot of the access control policy that I did add tiktok and tiktok music app to the block list. That did not block the tiktok app though. I then went into objects>application filters and created a custom filter. I named it Tiktok and in there, also added tiktok and tiktok music app. I then applied that filter to the ACP. Still no luck. Tiktok is still accessible on phones and windows apps.

So I started to watch the logs as I was accessing tiktok from my phone to see what is coming up. I can see the tiktok web application being used, and noticed that everytime it is accessed, it is a different url everytime....

https://imgur.com/a/FHswKip

So my question is, what is the right way to make sure the tiktok app is blocked from our network? Am I doing the app blocking correctly? Is there some type of wildcard url filter I need to put in to block all the random tiktok urls coming up from the app being used? As I said, i am blocking "www.tiktok.com" from web browsers via url filtering, but just cant figure out how to block the actual app.

Thanks!

15 Replies 15

Marvin Rhoads
Hall of Fame
Hall of Fame

Make separate ACP entries for URLs and Apps. Otherwise the rule logic looks to logically combine (Boolean AND) the separate parameters.

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with. 

 

Here is also a link that might make it easier to look at the 3 pictures....

 

https://imgur.com/a/mkIsJLJ

Try making an ACP rule and only include the TikTok app and the source subnets you want to block for.

--
Please remember to select a correct answer and rate helpful posts

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with. 

 

Here is also a link that might make it easier to look at the 3 pictures....

 

https://imgur.com/a/mkIsJLJ

davparker
Level 1
Level 1

Have you tried a rule where you block the detected application? You could try inserting that about the rule that blocks the URL list.

So I tried that and still no luck. I have attached pictures so you can see the rule I made, its placement, and the logs I am seeing from the iphone I am testing with. 

 

Here is also a link that might make it easier to look at the 3 pictures..

 

https://imgur.com/a/mkIsJLJ

I think you need ssl decrypt' 

The FTD can not detect app-id until it decrypt ssl session and see inside packet.

You need to check if traffic is http or https

Sorry you need license I think to run this feature 

MHM

So how can it block https://www.tiktok.com if it too is using https?

Ssl policy you need 

MHM

hmm ok. I might need to open a tac case

Sure Open TAC abd check them opinion

aap detect is happened before and after ssl decrypt' so this my view to issue

Goodluck and update us about solution 

MHM

Yeah not saying I dont trust your opinion, but creating an SSL decryption policy is above my level. Going to open a TAC case to assist with that. Thanks!

Friend 

You are so welcome anytime 

MHM

davparker
Level 1
Level 1

I found the Cisco Secure Firepower documentation on setting up decryption to be lacking. If you are in an Active Directory environment, this video may be useful.

https://www.youtube.com/watch?v=tAIdcZ3EBiw

Once you have the Sub-CA enabled and are able to decrypt traffic, this doc proved quite useful for me in crafting the decryption policy.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3063.pdf

 

In this video we will setup Firepower TLS decryption capabilities to ensure we are inspecting all traffic and not missing threats embedded in TLS. We will leverage a MS CA to sign the CSR from Firepower to enable Firepower to issuing Certificates. This also helps with browser errors when using ...
Review Cisco Networking for a $25 gift card