cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
407
Views
3
Helpful
8
Replies

firepower custom URL feed in ACP rule

tato386
Level 6
Level 6

My understanding is that URL feeds in FirePower SI are updated dynamically and take effect w/o having to do a policy deploy to the FTD. Does the same apply to custom URL feeds used in an ACP rule? My idea would be to create a custom URL feed on a local web server which is then used in an ACP rule. Local admins would have access to the URL feed file on the webserver and can edit this file(s) to block or allow URLs w/o having access to the FMC or FTD. Will this work?

TIA

1 Accepted Solution

Accepted Solutions

@tato386 try the relevant FTD folder below:-

RobIngram_2-1726674735024.png

 

View solution in original post

8 Replies 8

@tato386 yes, create the custom URL feed and define an update frequency for the FMC to automatically check for updates, policy should not need to deployed.

cool.  is there a file or folder on the FTD that I can use to check the status of this feed?  I know I can just test by generating some traffic that matches the ACP rule but seems easier just to SSH into the FTD and poke around.

@tato386 try the relevant FTD folder below:-

RobIngram_2-1726674735024.png

 

FTD gets the update pretty quick from the FMC, nice.

you da man!  

Why you correct the URL receive from talos ? and even if you remove some URL you need to do this process each time the talos send update

so there are two list 
Block-list and Do-not-block-list 
add URL you need to allow under block list 
and this way you dont need each time add/remove url from talos list  
security-intellegince-is-part-of-access-control-1536x623.png

 

tato386
Level 6
Level 6

Hello @MHM Cisco World 

I am not interfering with the lists provided by Talos.  I am adding additional custom URL feeds for domains that do not appear in Talos.  These URL feeds will be used in ACP rules, not SI.   For example, let's say I have an ACP rule that blocks the category "Shopping" but I need to make an exception for amazon.com (the users will kill me if I don't allow Amazon, right?).  Adding it to SI global-do-not-block will not bypass the ACP block of "shopping" sites.  However, I can add an ACP rule before the shopping rule that references my custom URL feed.  

Obviously, I can just add URLs manually to this rule but that would require access to FMC and a deployment to the FTD.  By storing this feed on a protected server share we can allow authorized non-tech, non-FMC users to add exceptions for domains and also have the change take effect withing minutes without needing a deploy.

We can do similar with domains that we want blocked but in that case I would use the custom feed directly in SI because a block in SI is final and will not go to the ACP.

HTH 

  

Friends there is fqdn and dns and url 

So I think you talking about using fqdn not url, url always done in SI. 

Can I see the ACP you use 

Thanks alot

MHM

If you create custom feeds they will be available for use in ACP rules.  In my case the feed files are simple text files that look like this:

domain1.com

domain2.com 

 

tato386_0-1727115208032.png

 

Review Cisco Networking for a $25 gift card