cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1281
Views
5
Helpful
15
Replies
telesymbol
Beginner

Cisco FTD URL Filtering rule issues

Dear All,

 

we've installed two 2130 FTDs in HA, managed with FMCv, we've configured a rule to block facebook & Youtube. on the Application tab we've selected HTTP & HTTPS plus on the URL tab we've added facebook.com & youtube.com urls. but the traffics are passing and please advise on the issue.

FMC version 7.0.1, FTD version 6.6.1

Regards

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Dear All,

 

Finally we've configured DNS Policy with a rule that blocks facebook.com and youtube.com domains and applied on the ACP. at the moment we're able to block both facebook and youtube. but there are some users who need access to facebook and youtube. please advise how to exceptionally allow them

 

reagrds

 

View solution in original post

we've achieved this by creating different DNS rules 

View solution in original post

15 REPLIES 15
Sheraz.Salim
VIP Advisor

could you confirm your rule blocking facebook and youtube there is no allow any any on above/top of it. what you can do Is to change the rule number. Forexample put your block rule on No1 on the ACP policy and check it. Also it seem you have URL lic as you mentioned that you put the web address in URL too. 

please do not forget to rate.
MHM Cisco World
Advisor

I think for FTD there is Blacklist and whitelist for Web, you must include these Web site to this list.
this list is override the other ACL.

Marius Gunnerud
VIP Advisor

Could you post the log entry for the traffic that is being allowed which should be denied.

My initial thought is that this traffic is not matching on the Application field.  I suggest you use port tcp/80 and tcp/443 instead of application.

--
Please remember to select a correct answer and rate helpful posts

Dear All,

 

the rule is placed on top of all rules. and for test purpose we've blocked other sites like BBC, CNN, Gmail and others and works as expected but not for facebook and youtube. our FTD version was 6.6.1, upgraded it to 6.6.5 but nothing changed. we've disabled all DNS rules, do we need to create SSL policy for URL filtering ?

 

regards

 

Again, as I mentioned in my previous post, you need to look at the logs that are allowing facebook.com and youtube.com. My initial thought, as also mentioned earlier, is that you are not matching on http and https application field. I suggest using ports http and https or just remove that and only match on the URL.  Optionally you could check if there is a Facebook and YouTube application you can match on.

--
Please remember to select a correct answer and rate helpful posts

please find attached screen shots of the policy configured. regarding the logs i found some logs for facebook labeled blocked but its accessible by chrome bowser on some PCs but not on firefox and edge and vice versa on the rest of PCs.

there is no log for youtube, but accessible on all browsers

I suggest creating a separate rule that denies Facebook and YouTube. The new rule should only match on Facebook and YouTube application, do not include URL. And then test.

--
Please remember to select a correct answer and rate helpful posts

Any proxy in between the Client and the Firepower or your FTD is acting as proxy?

As others mentioned, create two separate rules, if you need, use Facebook and Youtube for applications only and another rule for URL

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

Also take the debug with :

System support debug-firewall-engine

 

Use the parameters like tcp source ip, destination fqdn and it will give you the rule you are matching, will come to know what you are missing. 

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

Change your rule from "Block with rest" to "Block".

most probably if inside traffic tcp is going to facebook/youtube as tcp syn and it getting the syn-ack where as your rule does say Block with rest. try to but Block.

 

also as mentioned use the command "System support debug-firewall-engine" on your FTD cli.

system support firewall-engine-debug

Please specify an IP protocol: tcp
Please specify a client IP address: x.x.x.x
Please specify a client port:
Please specify a server IP address: youtube/facebook
Please specify a server port:
Monitoring firewall engine debug messages

you can get the youtube/facebook ip addresses from your event logs so you can test them and check the output

please do not forget to rate.
MHM Cisco World
Advisor

Dear All,

 

Finally we've configured DNS Policy with a rule that blocks facebook.com and youtube.com domains and applied on the ACP. at the moment we're able to block both facebook and youtube. but there are some users who need access to facebook and youtube. please advise how to exceptionally allow them

 

reagrds

 

There are some ways:

1. If you have AD integration, use it for allowing and move it to the top in ACP

2. If you have SGT, you can do that with ISE as well ACP

3. Assign then a different VLAN and use Source Group with that range and allow it

4. Assign them reserved IP and add them to the allowed list

 

Other than that, i may be missing something, experts - please let me know as well

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer

Depending on how many users need to access facebook and youtube I would consider my options in the following order:

1. you might want to consider giving them static IPs as this will be much easier to manage

2. set up AD connectors for the FMC, and then make rules that match on the users AD accounts or AD groups they are member of.

3. I would not even consider SGT for this solution unless you plan on implementing it throughout your network.  The financial and technical cost of implementing this far exceeds the rewards for just a few users.

--
Please remember to select a correct answer and rate helpful posts