Thanks Yogesh.

I was able to create a access policy. I created a standard rule to block social network websites but the access still goes through, i cannot see any traffic on my firepower logging monitor.

I do have the commands on my asa to redirect traffic to firepower:

EFC-FW# sh run | in sfr
access-list sfr_redirect extended permit ip any any
class-map sfr
match access-list sfr_redirect
class sfr
sfr fail-open
EFC-FW#

Please let me know what i am missing!! Awaiting your reply

Thanks in advance.

Regards

Vaibhav

Hi Vaibhav,

You might want to check this video regarding url filtering and see if the settings match :

https://www.youtube.com/watch?v=nXIBDQqekPY

Looks like in your case , the correct policy is not getting hit. 

Just check the video for a bit of troubleshooting and let us know if it helps.

Please rate and mark helpful posts.

Thanks,

Ankita

HI Ankita,

This video of yours was the first i watched to get into this further. Thanks for it.

I am now able to block URL objects but not via category. Looks like i have an issue for my SFR module not able to connect to internet. For some reason , i was not able to ssh into my sfr module after getting into ASA, although it was working earlier.

I did found that HTTPS port need to be openend bidirectionally for updates to work. I have it opened to any to outside but none for inbound.

What IP address does the SFR module takes to connect to the internet ? Is it management IP? What IP address i use to open a rule for inbound HTTP/HTTPS for this.

Thanks in advance.

Regards

Vaibhav

Hello Team ,

For all the url filtering updates to be work, you have to open the following ports in the Firewall:-

Uses port 443 (bidirectional)
Uses port 80 (inbound)

Refer the following link to verify if you met all the requirements for the URL filtering to work.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Communication-Ports.html

Rate if the post helps you

Regards

Jetsy 

Hi Jetsy, thanks for the reply. I am using ASDM and thus having trouble for URL updates.

Can you please advise what  access list i need to make for inbound https. 

What interface does the firepower module uses for its outbound connection to internet?

Thanks

Regards

Vaibhav

Hi Vaibhav,

The sfr module uses its management ip for going out to internet so make sure

the default which you are assigning to sfr module is able to reach internet.

You can allow all access to and fro for the management ip of sfr module.

rate if it helps.

Thanks,

Ankita

Hi Ankita,

thanks for the info, i will try this and let you know the updates.

Is this not a security issue to open access to the module from outside.

My management IP of the module is 192.168.10.2.Since i need bidirectional, i would require a static NAT bidirectional.

One more thing , when i click on URL category update and check logs on ASDM i do not see any traffic from 192.168.10.2. This is the reason I wanted to check which IP address firepower uses.

Also , are you aware of any list of IP Address to allow from outside. I am reluctant to open any .I saw this  from another document:

• Domain: support.sourcefire.com
• URL: https://support.sourcefire.com
• Port: 443/tcp (bidirectional)
• IP Address: 50.19.123.95, 50.16.210.129
  

Additional IP Addresses that are also used by the support.sourcefire.com (in round robin method) are:

• 54.221.210.248
• 54.221.211.1
• 54.221.212.60
• 54.221.212.170
• 54.221.212.241
• 54.221.213.96
• 54.221.213.209
• 54.221.214.25
• 54.221.214.81

thanks in advance.

regards

Vaibhav

HI Ankita,

The issue is now resolved. There was a DNS issue. DNS server was configured and the process has to be restarted.

No inbound connection was needed.

Thanks for alll the help!!

Really appreciated.

Regards

Vaibhav

Hi,

I am getting this message in my logs:

SFR requested ASA to bypass further packet redirection and process TCP flow from inside

Any idea on this.

Regards

Vaibhav

Have you heard back anything on this?

@pro_engineering this is a 3 year old thread. Please open a new discussion if you have current questions.