Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1908
Views
5
Helpful
5
Replies

Cisco FirePower URL Blocking

burfisaini03
Level 1
Level 1

‎07-31-2020 06:09 AM

Hi community

 

I have a question in-regards to URL blocking. I want to set a rule in policy that would allow me to block all website access except for specific websites, AD users need such as email (owa/outlook client), ticketing system (spiceworks), etc.. 

 

How would you guys approach this? The way I have done this is but creating an allow rule to the websites they need access to, and right under creating a block rule with "ANY", however, I have noticed ALLOWED websites are loading very slow, and Outlook takes 5 minutes on its initial boot-up. What am I doing wrong here and is there a better way to approach this?

 

Thank you in advance

Preview file
43 KB
0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎07-31-2020 06:46 AM

Hi,

URL filtering shouldn't cause slowness unless you are doing ssl
interception which is impacting performance because of decryption.

>From CLISH check show cpu and show memory detail
0 Helpful

burfisaini03
Level 1
Level 1
In response to Mohammed al Baqari

‎08-06-2020 09:04 AM

Hello Mohammed

 

We are not using any SSL with this policy.

 

It's a simple policy that allows internet access to all users, except for specific AD users, that have a "denied ANY" except for couple of websites that I have allowed specifically for these users, placed above this block ANY rule. However, these allowed websites are taking a long time to load, taking up to almost 2-5 minutes. We are also noticing Office 365 online portal doesn't take us to the next steps after sign-in because it's using different URLs in the back-end (for authentication). I hoped by just allowing "microsoft.com, office365.com or outlook.com, etc." would help but like I said there are more urls involved and it sucks I have to go in and allow more and urls just to get one website to work properly. Please let me know if you or anyone else has encountered this issue

 

Thanks!

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to burfisaini03

‎08-06-2020 06:38 PM

Hi,

You can refer to o365 online urls guide which includes all the details
published by ms.

For url filtering delay, this is a surprise to see. If you aren't using ssl
policy then I am assuming that the slowness for http websites only. In
this case what actions do you have on the rule (ips, file, etc).
0 Helpful

burfisaini03
Level 1
Level 1
In response to Mohammed al Baqari

‎08-07-2020 07:20 AM

I found the Microsoft page with their URL's and IP addresses, there are a lot of addresses and I think URL filtering only supports max up to 50 entries. Do you know if FMC supports wildcards? I may have to shorten a few of them to fit these requirements. Ex. *.microsoft.com

I do have a policy that does Incoming/Outgoing File inspection but nothing else I see that could be impacting this. I don't understand why this would only effect the AD users specified, all other users excluded from this list have no issues, could this be an issue on the AD end and if so, I can't think of reasons why? :/

 

Thanks!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to burfisaini03

‎08-07-2020 07:56 AM

There's a Github repo that has a project for downloading the Microsoft URLs in to FMC as an object which can then be used as needed in an Access Control Policy.

Have a look at it here:

https://github.com/chrivand/Firepower_O365_Feed_Parser

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card