05-13-2022 12:52 PM
Dear All,
we've installed two 2130 FTDs in HA, managed with FMCv, we've configured a rule to block facebook & Youtube. on the Application tab we've selected HTTP & HTTPS plus on the URL tab we've added facebook.com & youtube.com urls. but the traffics are passing and please advise on the issue.
FMC version 7.0.1, FTD version 6.6.1
Regards
Solved! Go to Solution.
05-19-2022 12:41 PM
Dear All,
Finally we've configured DNS Policy with a rule that blocks facebook.com and youtube.com domains and applied on the ACP. at the moment we're able to block both facebook and youtube. but there are some users who need access to facebook and youtube. please advise how to exceptionally allow them
reagrds
06-01-2022 06:48 AM
we've achieved this by creating different DNS rules
05-14-2022 01:41 AM
could you confirm your rule blocking facebook and youtube there is no allow any any on above/top of it. what you can do Is to change the rule number. Forexample put your block rule on No1 on the ACP policy and check it. Also it seem you have URL lic as you mentioned that you put the web address in URL too.
05-15-2022 04:57 AM
I think for FTD there is Blacklist and whitelist for Web, you must include these Web site to this list.
this list is override the other ACL.
05-15-2022 01:31 PM
Could you post the log entry for the traffic that is being allowed which should be denied.
My initial thought is that this traffic is not matching on the Application field. I suggest you use port tcp/80 and tcp/443 instead of application.
05-17-2022 12:59 AM - edited 05-17-2022 02:09 AM
Dear All,
the rule is placed on top of all rules. and for test purpose we've blocked other sites like BBC, CNN, Gmail and others and works as expected but not for facebook and youtube. our FTD version was 6.6.1, upgraded it to 6.6.5 but nothing changed. we've disabled all DNS rules, do we need to create SSL policy for URL filtering ?
regards
05-17-2022 03:42 AM
Again, as I mentioned in my previous post, you need to look at the logs that are allowing facebook.com and youtube.com. My initial thought, as also mentioned earlier, is that you are not matching on http and https application field. I suggest using ports http and https or just remove that and only match on the URL. Optionally you could check if there is a Facebook and YouTube application you can match on.
05-17-2022 11:57 AM
please find attached screen shots of the policy configured. regarding the logs i found some logs for facebook labeled blocked but its accessible by chrome bowser on some PCs but not on firefox and edge and vice versa on the rest of PCs.
there is no log for youtube, but accessible on all browsers
05-17-2022 01:24 PM
I suggest creating a separate rule that denies Facebook and YouTube. The new rule should only match on Facebook and YouTube application, do not include URL. And then test.
05-17-2022 01:58 PM
Any proxy in between the Client and the Firepower or your FTD is acting as proxy?
As others mentioned, create two separate rules, if you need, use Facebook and Youtube for applications only and another rule for URL
05-17-2022 02:31 PM
Also take the debug with :
System support debug-firewall-engine
Use the parameters like tcp source ip, destination fqdn and it will give you the rule you are matching, will come to know what you are missing.
05-17-2022 05:18 PM
Change your rule from "Block with rest" to "Block".
most probably if inside traffic tcp is going to facebook/youtube as tcp syn and it getting the syn-ack where as your rule does say Block with rest. try to but Block.
also as mentioned use the command "System support debug-firewall-engine" on your FTD cli.
system support firewall-engine-debug Please specify an IP protocol: tcp Please specify a client IP address: x.x.x.x Please specify a client port: Please specify a server IP address: youtube/facebook Please specify a server port: Monitoring firewall engine debug messages
you can get the youtube/facebook ip addresses from your event logs so you can test them and check the output
05-17-2022 12:29 PM
05-19-2022 12:41 PM
Dear All,
Finally we've configured DNS Policy with a rule that blocks facebook.com and youtube.com domains and applied on the ACP. at the moment we're able to block both facebook and youtube. but there are some users who need access to facebook and youtube. please advise how to exceptionally allow them
reagrds
05-19-2022 01:02 PM
There are some ways:
1. If you have AD integration, use it for allowing and move it to the top in ACP
2. If you have SGT, you can do that with ISE as well ACP
3. Assign then a different VLAN and use Source Group with that range and allow it
4. Assign them reserved IP and add them to the allowed list
Other than that, i may be missing something, experts - please let me know as well
05-21-2022 02:04 PM
Depending on how many users need to access facebook and youtube I would consider my options in the following order:
1. you might want to consider giving them static IPs as this will be much easier to manage
2. set up AD connectors for the FMC, and then make rules that match on the users AD accounts or AD groups they are member of.
3. I would not even consider SGT for this solution unless you plan on implementing it throughout your network. The financial and technical cost of implementing this far exceeds the rewards for just a few users.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide