Solved: Check if a URL is already blocked - FMC

Brad_Shawh · ‎09-28-2020

Time and again I keep getting requests to block xyz.com on Firepower.

Is there a way to check if a particular URL is already blocked on Firepower's SI or something like that?

I am on FMC 6.4

Mohammed al Baqari · ‎09-28-2020

+5 manabans.

Shawh, If its blocked by FP, you should it see it in FMC connection events as
blocked (assuming that you enabled logging for the rules that use SI). The categorization will show where it falls but not if blocked or not.

***** please remember to rate useful posts

View solution in original post

manabans · ‎09-28-2020

You can manually look up the category and reputation of URLs. Login to FMC UI, navigate to Analysis > Advanced > URL, enter the particular URL, and search.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/using_lookups.html

Brad_Shawh · ‎09-29-2020

Thank you.

Yes, I looked up the URL, the news ones almost always come up as 'Category / Risk : Unknown', so Firepower won't block them.

Mohammed al Baqari · ‎09-28-2020

+5 manabans.

Shawh, If its blocked by FP, you should it see it in FMC connection events as
blocked (assuming that you enabled logging for the rules that use SI). The categorization will show where it falls but not if blocked or not.

***** please remember to rate useful posts

Brad_Shawh · ‎09-29-2020

Thank you, Mohammed.

Precisely what I was looking for. The Risk / Category comes up as unknown, so my policies don't work.

But thanks, your answer was on point.