Filter rules firepower threat defense

FranciscoOpenLink · ‎06-30-2022

Hi, I'm configuring some filtering rules in a firepower and it's not filtering my traffic.

I really don't know if it's because of a license issue or I have some bad configuration.

This is a lab that I am doing with an IOS that I downloaded from the Cisco page and it has a 90-day license

manuel.romero · ‎06-30-2022

Hello, With evaluation licenses you can use all features as long as they do not expire.

Regarding the rules that you have configured, I see that you want to do it for a specific URL. Could you show the config of those URLs.

In the Analysis and events section you can verify why it is not working as expected, that is, if it is matching another rule or if you are missing something.

FranciscoOpenLink · ‎07-01-2022

Hello, if I am actually trying to filter by URL, I will show you the rules

in the events I do not see that it is blocking anything.

Mohammed al Baqari · ‎07-01-2022

Hi,

You need to enable logging to see which rules are matched. Also, ensure you
zones are correct (I suggest to remove them).

>From CLI, try 'system support trace', put test source IP, then initiate
some traffic and see from CLI what is matched.

***** please remember to rate useful posts

Marvin Rhoads · ‎07-01-2022

As @Mohammed al Baqari noted make sure you first turn on logging (to FMC) for your rules.

Also make sure the FTD devices have a valid DNS configuration to allow them to resolve the IPs of the URLs. that's necessary in order to block the URLs since the client requests will be for traffic to a given IP - not a URL - in the body of the traffic.